File Sharing Wizard SEH Remote exploits

To get the vulner of this aplication 1st lets running wiresark:

then after we get the informations which we catched from wiresark, now we will load it into our fuzzer:

and now open the file sharing wizard and OllyDbg, running it with the fuzzer

now the file sharing wizard became crash and when we see from ollydbg , the SEH handler is 41414141, with press shift+F9 we can overwrite the EIP now.

the next step is we must get POP,POP RETN address,

we got thePOP RETN address from nt.dll module library is 662D08F5.

Now we are loking for offset to overwrite SEH using pattern create

so we need 1025 byte as the trigger of SEH Handler

Controlling CPU process

then breakpoint on the address of POP RETN , like this:

 

 from the picture above, when we breakpoint the address already pointed to the SEH Handler.

Generate Shellcode

 Using Metasploit Frame work, with typing cd /pentest/exploits/framework2 then type ./msfweb

and goes to web browser of metasploits 

after we get the payload we need to remove all the bad characters and test it again untill it totally free from bad character, like below:

then put in fuzzer

 and finally