This is a display from Easy Chat Server
In this time i try to buffer overflow Easy Chat Server, make a fuzzer, fuzzer is almost the same as the fuzzer BigAnt but there are different. Run BigAnt application with ollydbg make script fuzzing as below, and running
after fuzzing run it will appear as below, where the fuzzer trying to send a buffer of 20000 into the Easy Chat Server,Easy Chat crash but EIP address not directly affected by the buffer is sent, for look into the SEH choose view-->SEH chain, so will display as below
and then press shift+f9, as below
Now EIP
address is 41414141, after that try to see data in the aplication
memory, right-click at stack line --> Follow in Dump,
so will as
below
after that
find the location command POP, POP, RETN, from ollydbg --> view
-->Executable Modules --> double click at SSLEAY32.dll,
after that get into window CPU from file SSLEAY32.dll
right-click --> search for --> Sequence of Command and input POP32, POP 32, RETN, as picture below
and click find, the result as below
after that find the pattern create to overwrite SEH,
after get offset, copy the offset to script and modify script as below
and then run the fuzzer, after show the result choose view-->SEH chain
and press shift+f9 and will show as below
after that used pattern offset to get the value of EIP
after get the value modify script
save and run again the fuzzer, so will show as below
after that, modify the script again where we input offset address SSLEAY32.dll
run again the fuzzer, will show as below (don't forget used view --> SEH chain)
after as above then press shift+f9, the result as below
after that right-click at first address \xCC (01316DDC) Follow in Dump --> Selection, and the result as below
after that find the payload with msfweb
input as needed, for bad character input from last searching
copy the payload to script, and modify script as below
and i try to running calculator in the windows from my backtrack
and the result
Tidak ada komentar:
Posting Komentar