Assalamu'alaikum wr. wb...guys, meet you again, and right now we want to try exploiting EZ server v. 6 running on windows XP SP3. Ok lets get it on...
1. Information Gathering, Service Enumeration
We can use nmap or zenmap to explore information about our target
Ok from information we found, port 8000/tcp opened and service that running is HTTP 1.0
2. Vulnerability Assesment
In this step we can make simple script, basic on python and use get request on HTTP 1.0
save script as ezexploit.py and run it. What happened is EZ server suddenly crashed, it means EZ server that running on port 8000 is vulner....
3. Exploiting with SEH Buffer Overflow
Now We try to analyze from our LAB with Ollydbg, after fuzzer run to EZ Server.
From picture showed that ESP overwrite by "A" junk but EIP not yet overwrite, thats because EZ have SEH Handler. Now our duty its try to by pass SEH and know the address of EIP. So we can make pattern, using this command :
# ./pattern_create.rb 7000 > ezstring.txt
open ezstring file and copy the codes into our fuzzer,
and then run fuzzer again on our target. After it, try to see SEH chain at Ollydbg, and we found
alright....we got it, now next step is find offset from address SE handles shown using command,
# ./pattern_offset.rb 48316F48 7000
5883
Ok before change fuzzer script, we must know that we one way to handle SEH is using POP,POP,RETN method. To find modules that run that method we can use OllySSEH plugin to automaticaly scan it. You can download the plugin at
OllySSEH plugin . This plugin does an in-memory scanning of process loaded modules
checking if they were compiled with /SafeSEH, if so it can list the
registered handlers (you can follow them at CPU window doing double
click). This plugin is useful when exploiting vulnerabilities in systems with Software DEP protection.
The plugin lists all loaded modules and can give you the following results for each one:
/SafeSEH Off : No /SafeSEH, jump party ;-)
/SafeSEH ON : /SafeSEH active, you can list registered handles
using rigth click.
No SEH : SEH is not active for this module, take a look
at PE/COFF specs (IMAGE_DLLCHARACTERISTICS_ NO_SEH)
Error : There was an error reading module structure :-(
and after we try scanning, the result was.
Ok, there are 3 files, js32dll, MSVCRTD.dll and Ezserver6.exe. Forget Ezserver6.exe, so we can just find between js32.dll or MSVCRTD.dll. Now we can search for POP r32,POP r32, RETN command if there exist in the module
ok after we found that MSVCRT.dll, compatible to by pass SEHandler on EZserver, now we change the script like this
and make sure we set breakpoint on POP r32 address >> 10209696, and run fuzzer again.
From picture showed, we know that EIP have overwrited. Then we set jump short code into fuzzer same as before, how many byte we jump is free (in this case we use 6 byte jump), JMP SHORT command is used to ordered CPU to jump forward to the next few bytes according which is input by the user, and then the CPU will start the process of execution from the address.
As we see, the address showed 01FFFF09 - 01FFFFF9 or in decimal 240 byte junk. Now our duty is to make shellcode amounted no more than 240 bytes
generate payload and then copy the code into our fuzzer
and....look by yourself the result...
but, wait it it's not finish yet, to be continue...^^