After I try with a ton's searching information about RM-MP3 Converter, I found Prof of Concept exploit in exploit-db with basic script in perl language, I build fuzzer in directory /var/www/ this meaning is for share the result with apache2 to target.
and I search in exploit-db to look POC of rm-mp3 converter version 3.1.2.1
I build fuzzer from this source and make script like this
After build it I running this script with perl command #perl <name_file>.pl and this will create file with extention ram in www directory
This will appears after I activate apache2 server to share it, and load that file with application rm-mp3 converter from ollydbg for monitoring memory condition
Now load file fuzzer to look change condition of memory
When finish to fuzzing memory now I add string pattern from metasploit
Use tring from metasploit tools to generate string now I fill fuzzer script with this character of string
The script will be changed like that and once again run this script to generate file fuzzer and do same as first step
And now condition of memory has changed, next step I'll try to use metasploit again to count byte memory from ESP to EIP to fix address of EIP, now I found EIP address is 36695735
I had try to generate with pattern offset in metasploit's tool but its nothing change anything, I wonder this is not work.
I had found solution to find offet here
Problem is pattern offet cant to find location of byte data and count it accurate, maybe at this case have 2 variable, and next I'll try to check EIP has found location and make modification script like this
After make it is, now I test this script on application
I found this script is success to overwrite EIP and next I'll try to load payload on that script with metasploit web to generate payload
With this setting to load payload will load like this
And apply to script like this
After I load this payload and try to expoit this I found I failed, and with this variabel of data from begin till now I want to addaptation this perl script to python script, cause I have so little understanding about perl so I choose option for change it to python
I build new script with python extention to make exploit for RM-MP3 Converter
I mae new file with name exploitconverter.py to generate exploit and that script will be like this
I use payload where I was generate before, and all data is addopted from perl script
After finish build I try to creat new exploit for final act, I hope this is success
When I load ram file with application target this application converter become hang and freeze and I'll try call with telnet with port 6666 from attacker side
At this rate can to see success to exploit it, but my self not feel it is 100% success, cause I not use perl script until finish, at the concept of attacking with .ram file is the applocation have vulnerable at indetification file to load or whatever file has load will be running in application, that condition is can to exploitable from attacker side with make file exploit to open connection with port include in payload in system, as we can look from first till now all process is for to open connection in port, here I use port 6666.
try to remove "http://" before the pattern code and execute it again.. :)
ReplyDelete