File Sharing Wizard

This time I will be demonstrating the exploitation of SEH another application is file sharing wizard,
just download the application here.
still like the previous post, I use OllyDbg as the media to see the processes that occur therein.
before we look for vulnerability to sniffing tools, wireshark, is carried out to find loopholes that will be our exploitation.
I need not explain how to use wireshark,



http listed there,
this is what we will kick ass :)
we will try to beat from the header.
write a script like this
 
actually we have another way, namely username overflow, but the way it is very difficult, therefore I will try from header only. buum! application disappears, it marks the application crashes, to find out what happens, we try to get into OllyDbg
after running the fuzzer, press SHIFT + F9

  
there appear a lot of character, it is the data that we send over the first script that we created earlier.
that data more regularly and to know how EIP value to hit, we use the create and insert the data pattern from the pattern to the script fuzzer

and then press F9 to pass him by SEH, note the value of EIP and then check using the pattern offset
 
 
 
enter the value we are looking into the script by subtracting 4 bytes fuzzer as a benchmark to determine the value tersebt is just right, write the script as below
 
 
if successful, the value would be like this
  
The next process is to control the CPU
write a script like this
 
 
beware!, the value of \ xF5 \ x08 \ x2D \ X66 is the springboard of the module hnetcfg.dll POP R32, R32 POP, RETN
 
 

 If successful the application will break when the process of passing the address.Do not forget, each running a fuzzer always press shift + F9 in OllyDbg to forward data from the SEH chain into the memory



 the last step is to make web payloads using metasploit
do as the steps below,


 insert the payload into the fuzzer, follow the following steps, Observe the code of each payload so as not to lead to something later
and finally



up to this post, I am still trying to find answers to the exploitation of this application .Keep the spirit!  

Comments

Popular posts from this blog

Introduction Maltego

EXE file structure