Non SEH Vulnerability Development II (Local)

In my last post about Non SEH VD using remote shellcode, we were use warFTP aplication for the target. Now we try using Easy RM to Mp3 Converter to try local shellcode target. 

Preparation we should use basicly same as before, now we can continue to the steps.

1. Fuzzing

create fuzzer to generate the file that can crash (buffer overflow) Easy RM (ERM) using python.

run fuzzer, and the result should be a file name coba.m3u (mp3 playlist). Run coba.m3u to Easy RM at the LAB, what happens next is ERM will crash and suddenly close.

2. Debugger
check in the Ollydbg, and make sure that EIP register overwrite by 0x41414141

 3. Byte position using MSF
run pattern_create tool using command

root@bt:/opt/metasploit-4.3.0/msf3/tools# ./pattern_create.rb 26100 > erm.txt

and copy the code into fuzzer

ollydbg showed

run pattern_offset tool

and edit fuzzer :

and after running on ERM it showed:

4. JMP ESP
find JMP ESP command address on shell32.dll and then set the fuzzer :

after breakpoint, ollydbg showed :

5. Generate payload and add the NopsLED
use the same payload method (bind shell) for windows and generate payload codes, then copy the codes to fuzzer

running fuzzer then run the last coba.m3u on Easy RM converter without ollydbg.Last step is connect to target IP using pot 4444, and the result should be :

...and done Happy trying ^^...