Rabu, 22 Februari 2012

Buffer Overflow easy chat server "seh and safeseh"

first  i want to search vulnerability "easy chat server" i choose wireshark to sniffing packet data on easy server. Before i try to use wireshark, i play easy chat server with web browser. Iam register easy chat server.

I want to login easy with server, and i choose frinds to chat with me

Run wireshark to sniffing packet data on easy chat server. I see packet data on easy chat sever with ip 192.168.56.101. 

I type source for fuzzing on wireshark. I build fuzzing this below :

Run easy chat server after that OllyDbg, klik view > attack, search easy chat server > attack. 

This file is crash, however register EIP no crushed of buffer to sending. Because this application use seh. Fot view to seh, choose view > SEH Chain.

Now EIP value to be 41414141

To view data inside the application memory, right click line stack 3 > follow in dump. Then on the left of the memory window seen in the data buffer memory. 

copying file ssleay32.dll in system backtrack to search whether this file contain seh.

Open terminal and enter the metasploit. type ./msfpescan -p /tmp/ssleay32.dll. Try module to have file ssleay32.dll on SEH Chain.

Double click SSLEAY32.dll, right click > search for > sequence of command. After that windows search is appear, type POP r32, POP r32, RETN, click find

Now OllyDbg has found address memory in the SSLEAY32.dll.

Open terminla and search ./pattern_create.rb

Copy pattern_create.rb into script and run script again. easy chat server has been crash. Note value at EIP.

Open terminal and search pattern_offset with value contained in the EIP

Type script this below :

Script sucessfully executed, buffer value \x41 success entry into SEH handler

 Type script below to enter address msfpescan from SSLEAY32.dll

See that the process has break by OllyDbg exactly when it will access the address SSLEAY32.dll
looking into SE Chain

push shift + f9 to countinue prosses in memory SSLEAY32.dll

Open web browser and type localhost with port 5555. Now at the Metasploit, choose payload search os :: win32, after that choose again Windows bind shell

and a know this payload any bad character. Iam reply to build payload with how to clean bad character "\x20\x25\x0a\x0d\x08\x80\x32\x6e\x3f"

Copy payload into script fuzzer

Run the script 

See the result, easy chat server is crash

Access telnet with terminal. Now exploit is success....
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)