This time I will try to exploitation on BigAnt server applications
- The first application we will use wireshark, to see BigAnt server application running on port number
 |
| bigantserver seen running on port 6660. good starting point for pushing start |
and application which is based SEH stack overflow.
still wondering if What is SEH (Structured Exception Handling)
can be viewed on the link below:
http://msdn.microsoft.com/en-us/library/ms680657%28v=vs.85%29.aspx
- Let's start by making fuzzing in the command "USV" owned by bigantserver
my fuzzer:
BigAnt first open the application server. The next open OllyDbg. click on the file menu and click on the menu attach OllyDbg. My next pick Antserver menu.
- running your fuzzing.
- see the results., ESI only the affected memory
- This application crashes, but this time unlike the previous case,
EIP register are not affected by the buffer that we send.
will display a table, as shown below
- we then forward the data from the SEH chain into memory.
press shift + F9
 |
| Now note that the EIP be "\ X41" |
- further to see the data that resides in memory applications.
Right click on the row stack -> follow in dump
- the next stage. locate command POP, POP, RETN
in OllyDbg we select view -> Executable Modules -> double click on the file vbajet.dll
- after entering into windows CPU from vbajet 32.dll file
right click -> Search For -> Sequence of Commands
 |
| it will display a search window will appear. enter as the image and click find |
- OllyDbg will lead to a memory address in the file vbajet32
 |
- pattren_create next we create a string of 2500 bytes.
 |
| copy is to the application fuzzer we have made |
- I then put a string pattern in my application fuzzer
fuzzer pattern:
- behold., BigAnt server to crash. repeat as in the beginning., into the SEH chain and press shif + F9
- then find the total value obtained in the EIP
- then change back to your fuzzer
fuzzer:
- after our fishing SEH. Next we enter the fuzzer that has a command POP, POP, RETN
I tried running the fuzzer which has been made.,
but always failed.
My next change., almost the same as in the book harmes haking
FUZZING:
- before running the fuzzing it is restarted again on BigAnt server applications and ollydebg. then make the address on the address of SEH brakpoit memory, plug the module into the poitbreak vbajet32 , then run the fuzzer
- click shift +F9. to continue the process into the memory
- Right click on the first memory -> follow in dump
shown in the lower left corner "direct memory into the memory stack
- then we make the shellcode using. / msfweb
- klick generate payload.
- Olly debug and look at the chain safe., seen that seh storing the wrong value
and now try to delete the contents of the payload and restart OllyDbg and see the SEH cain
- then we try to insert a payload-line per line
I found a bad character on the line to 14
I've found the bad character
/ x20
and I enter in my gennerade
- I tried re-generade
final fuzzer:
- BigAnt OllyDbg and restart the server. and put a breakpoint on the address of SEH. note the value of the SEH cain, "according to the expected address" is the vbajet 32.
 |
| then do a telnet |
 |
and now the windows are fully owned by you
|
referens: Harmless Hacking
Tidak ada komentar:
Posting Komentar