Lets see how we can use the Metasploit framework to sniff the victim’s network and what we can get from that.
A MacBook with Vmware Fusion on it.
Target: A Virtual Guest with Windows XP SP3 with two Ip addresses 172.16.225.10 , 192.168.0.10
Attacker: A Virtual Guest with Backtrack 5R1 with the Ip address 172.16.225.251
- The following stuff is done in an environment of Win XP SP3 VM w/ .NET v2.0 .. Also tested in Win7x64 and Win7x86 -
- Tools used : Just ollydbg
- App can be found in :http://www.flexcrypt.com/flexcryptfree.html .
Everything started when I firstly saw the security magazine “Hakin9” (http://hakin9.org/) presenting FlexCrypt .. I downloaded flexcrypt, and started to testing functionality etc… But I have a bad habit… after some minutes, instead of looking the functionality, i fired up Ollydbg and started exploring its code… I focused on every interface that was accepting user’s input. I wanted to check some BoF vulnerabilities. My attention was caught by the Registration Dialogbox. Fuzzing the input by hand (exception appears in string length > 452) I noticed that the application throws an exception…! That needs examination..
First of all, we assume that the operation is simple : U press Validate -> some function (1) reads your input storing it to a buffer -> string manipulations and memory allocations happen -> some function (2) validates your input -> message for good or bad news 🙂
So, hands on.. attaching Olly on the process, cause the application to overflow entering a long input. Olly shows up, and we land in KERNEL32 :