Friday, January 18, 2013

Buffer Overflow Stack part 2a

Exploitation of BisonFtp on Win XP SP2
Original Exploit:
# BisonFTP Server <=v3.5 Remote Buffer Overflow Exploit
# Newer version's not tested, maybe vulnerable too
# written by localh0t# Date: 10/08/11# Contact: mattdch0@gmail.com
# Follow: @mattdch# www.localh0t.com.ar | www.mfsec.com.ar

Victim = Windows XP SP2
Attacker = Backtrack 5 R3
Victim:
First attach the debugger to the running ftp server. (Using Ollydbg /w ollysseh plugin)























Attacker:
Fuzzing Bison FTP with 1600 bytes.



































Victim:
The result on our victim machine is a server crash and an overwrite of EIP. Note EBX register. We will use this register later.














Attacker:
Generate a 1600 byte random string using Metasploit.


Attacker: Add out 1600 byte string to our POC.
Attacker: Resend the buffer / POC to the victim.

Victim: Ollydbg's output reads EBX: 3Bm4 EIP: 42376E42

Attacker: Now we calculate our pattern offsets using Metasploit.
Attacker:
Now we want to re-write the buffer to overwrite EIP with B's (ASCII "\x42")































Victim:
Confirm we have control over EIP, we resend the buffer on the Attacker machine and wait for the overwrite of EIP with B's (ASCII "\x42").















Attacker:
Identify if we in fact have control over EIP. Complete buffer to maintain our desired 1600 bytes.





















Victim: Again the debugger halts the execution flow of the program and overwrites EIP with B's.















Excellent! we now control EIP. How to get to our code we will inject into this buffer? We need to find way to get our shellcode. Remember register EBX? Find a "System" DLL we can use to 'jump to our shellcode'
Using "SHELL32.dll" we find a JMP EBX we can use.

Victim:













Attacker:
Rewrite the buffer to include our JMP EBX and the remainder of the 1600 byte buffer.

































Victim:
Using Ollydbg we set Breakpoint Jmp Ebx. So if all works well the debugger should 'catch' our execution flow at JMP EBX.









Attacker:
Resend Buffer.

Victim:
Ollydbg catches the execution flow at Jmp EBX.























































Victim:

We hit our Breakpoint we set on Ollydbg. Now we step through our breakpoint by pressing 'shift+F9'. See the availible space for shellcode. This space is where our shellcode will be executed.
























Attacker:
Now use Metasploit to generate some shellcode.
















Attacker:
Rewrite buffer to maintain aprox 1600 bytes.






























Restart Bisonftp......No debugger!
























Attacker:
Netcat listener port 4444!












Attacker:
Send our completed exploit!
























Working exploit!! w00tw00t we have r00t :)

1 comment:

  1. Hello Admin,

    Thanks a lot, your post helped me a lot when I am under pressure.

    --Regards,
    Mahendra Nath

    ReplyDelete