Step1: create two file on attacker side 1) default index.html and 2) cursor file to load
Now save the proof of concept in a txt file(cursor.txt).
use above command to cut down the hex part from proof of concept and paste it in buffer.ani
Step2:upload the above two files in your apache webserver.
Step3: Try to open index.html from window-xp and analyse the behavior of IE using ollydgb in order to find the offset address where EIP will get over written.
Attach IE in ollydgb and put malicious url in it.
Now we will put the address of jump instruction in place of 42424242 which we will get from user32.dll by searching for command JUMP DWORD [EBX],now we jumped at ebx because it contain the malicious .ani file address.
Just go into view=>executable=>user32.dll , press enter.
Now try to find a jump [ebx] instruction in user32.dll by pressing ctrl+f.Now note down the address of this instruction.Now goto buffer.ani and copy that address in place of 42424242 but in reverse order.
if address is 77d4e573 then write 73e5d477.
Step4:Add the payload in buffer.ani file,as show in above figure.Now in order to jump to our payload we will add two jump opcodes in our buffer.ani.one is eb 16(short jump of 24byte) and other is eb 77(short jump of 119) ,these two short jumps will direct the flow of execution of program to our malicious payload code.Now just open our malicious page from win-xp and wait for the superuser shell.Dont forget to list on port 443 using netcat!!
Now you can use this page to get shell from any window-xp or vista user.
Comments
Post a Comment