Newbie moron infosec is2c change's log: Fuzzing : Direct Return Based Exploit WarFtp part 2

In my previous writings about Fuzzing WarFtp part 1 i have failed to exploit the WarFtp applications of ftp. Today I will explain why and what the failed. I have failed because i just know if running Olly debuger and WarFtp always to start and close repetedly. In the session exploit using fuzzer you must have long time in front of your pc and read the fuzzing technique so trying error its a good experience.

Scenario :

Attacker request service through ftp client and sending fuzer through ftp. The victim open the application of WarFtp. After attacker running the fuzzer the WarFtp's victim crash and error. Error is a good news for attacker to know the vulnerability of the application so the attacker can remote or handle the victim.

First time you must deleted the FtpDaemon in the victim (Windows Xp2) and adding new user, in this session i add with username usertest and password user.


WarFtp Victim

Like in the Fuzzing WarFtp part 1 running the Netcat (nc) to connect with the victim and than write the fuzzer using python programing language, so running the fuzzer. After running the fuzzer the WarFtp's victim crash and error. Look the OllyDbg, the registers ESP, EBP and EIP overwrite.

WarFtp OverWrite

The register ESP overflow and overwrite the register EBP. ESP is a stack register, called a stack pointer, that points to the top of the stack; EBP is also a stack register (called the base pointer), used to reference local variables and function arguments on the stack. EIP is the instruction pointer register it controls program execution by pointing to the address of the next instruction to be executed.

Patern Create

As we used the pattern_create function to create our initial buffer and pattern_offset to calculate the buffer length required to overwrite our exception handler.

Output pattern_create

Lets modify the fuzzer and copy the output from pattern_create in to the fuzzer.

Fuzzer2

After modify the fuzzer so running the fuzzer to overwrite the ESP and EBP.

ESP & EBP

Look at the ESP and EBP register, we can controll it register by fuzzer. After we are have output ASCII in the both ESP, EBP and EIP. Lets ceck and calculate where the bytes is overwrite by using pattern_offset.

pattern offset

The bytes is 485 and 493. Modify the fuzzer by fill in the value from pattern_offset and write DEADBEEF with litle indian into the fuzzer. Running and see, so we can controll the register EIP to write DEADBEEF.

Fuzzer3

Lets running it...and look at the EIP.

DEADBEEF

The EIP overwrite with DEADBEEF and you can see the bottom the memory full the junk "ccccc" ASCII, because in the fuzzer script have nop (\x90) its mean no operation. Open the "00AFFD58 CCCCC " and find the user32 or shell32. In this session i choose shell32 and go to open.

Execute Module

Open the shell32 and search the JMP ESP by right click and search command and fill in the textbox JMP ESP.

JMP ESP

Next open the msfweb and running it, after running open your browser and go to 127.0.0.1:55555 to get payload.

msfweb

Running msfweb

Lets search the payload. In this session i will try to open the calculator because its small size, and dont forget to fill in the box restricted characters with 0x00 0x0a 0x0d, why? because its character can make the payloads cant running.