Software Exploitation : Ezserver

Tidak ada komentar
Today we will going to exploit an application name Ezserver. Ezhometech Eserver is a simple http server, that serve a requested web page from client.
We will using Windows XP SP3 English in VirtualBox.


[*] Information gathering

 - The app is using port 8000 and here when using nmap :
8000/tcp open  http-alt
- Web using html with heavy javascript.

 [*] Fuzzing

- Create simple fuzzer for request to ezserver.

- Send "A" buffer, first try for 1000 but the ezserver is still up, second try times ten to 10.000 A's and ezserver is crash. Oke next step.

[*] Debug

- Now we eill try to find out what happened to ezserver when it crash. In this step i will use Immunity debugger. First open Immunity and attach to ezserver.
-Don't forget to run it, next we will try to send our fuzzer again.


- The register ESP ESI EDI is filled with our A's. The immunity is requesting to pass the exeption to the application.



- And our EIP an SEH Chain is also hit by "\x41".
- Now that we know we can hit EIP we can try to find EIP offset using pattern with pattern_create 10000 and send it using our fuzzer.




- Now the value is 336f4832 and using pattern_offset and we find our offset "5888".
- Next we will confirm it with deadbeef.


- The SEH chain is now DEADBEEF. Next is try to bypass SEH using command POP POP RETN.

- We search in ezserver own dll, MSVCRTD.dll and the address is 10209696 = "\x96\x96\x20\x10"

- We just toogle the breakpoint to see if the address is pointed.




After we toogle the breakpoint now we will try to run the fuzzer.




The eip is sucessfully go to our intended addres for POP POP RETN, now we can bypass SEH.

[*] Exploit






- Here are just the diagram I draw to how how we will try to open “Calculator” app.
- First is the buffer which is 5888 byte long.
- Our buffer is filled with 5884 byte “A” and our jump short code. Jump short code is \xEB\x06 and 06 is 6 byte. Because i use 32bit register so we add 2 nops = \x90\x90.
- Next our payload, and we use metasploit payload foe executing command.




- Here is the payload for calc.exe.

- And here are our last fuzzer. Lets run it.

- And looks like we done it.

- next post we will try to send our shellcode and using egghunter!

Tidak ada komentar :

Posting Komentar